Q: What is the Personal Identity Verification Project and how will the standard impact an access control system?

A: In August of 2004, President Bush issued Homeland Security Presidential Directive/Hspd-12, which is a Policy for a Common Identification Standard for Federal Employees and Contractors. The draft of the standard is on the project web site at http://csrc.nist.gov/piv-project/.

The standard is divided into two parts, PIV-I and PIV-II. The first part (PIV-I) sets minimum requirements for a Federal personal identification system, including the personal identity proofing process, but does not address the interoperability of Personal Identity Verification (PIV) cards and systems among agencies.

The second part (PIV-II) provides detailed specifications, including personal authentication, access control, and Personal Identity Verification (PIV) card management systems for technical interoperability of (PIV) cards across the Federal Government.

The standard sets up requirements for authenticating and verifying the identity of the individual that vary based on the sensitivity of the position of the individual. In some cases, verification can be done based on documents, in others fingerprinting and background checks will be required. It also requires that employees and contractors be treated as visitors and not be issued long-term identity credentials until the required credential verification or background investigation is complete.

The main impact is on the design of the credential used:

• Specific information must be printed on the card in designated areas. Holes or punches, decals and embossing are not allowed on the card. Each card must contain a circuit chip and a contact and contactless interface.
• A tri-modal or bi-modal optical variable device (OVD) or optical variable ink (OVI) must be embedded in the card material on the front of the card.
• The chip in each card must store: a Personal Identification Number (PIN); a Cardholder Unique Identification object (CHUID); one asymmetric key pair and corresponding certificate associated with the cardholder; two biometric fingerprints; and a Biometric facial image.

Optical variable ink (OVI) contains tiny flakes of special film or ink embedded in the card that change color as the viewing angle is varied. This security device allows a control that is visible to the naked eye without any special equipment, and prohibits the card from being photocopied (only one color will appear).