View this document as: a single page | multiple pages.
\addtocontents{toc}{\protect\clearpage} % force a page break in the ToC

6. PIV Cardholder Authentication

This section is normative. It defines a suite of authentication mechanisms that are supported by all PIV Cards as well as the applicability of these mechanisms in meeting the requirements for a set of graduated assurance levels. This section also defines some authentication mechanisms that make use of credential elements that MAY optionally be included on PIV Cards. Specific implementation details of authentication mechanisms identified in this section are provided in [SP 800-73]. Graduated authenticator assurance levels are also applicable to derived PIV credentials used in accordance with [SP 800-157].

While this section identifies a wide range of authentication mechanisms, departments and agencies may adopt additional mechanisms that use the identity credentials on the PIV Card. In the context of the PIV Card application, authentication is defined as the process of establishing confidence in the identity of the cardholder presenting a PIV Card. The authenticated identity can then be used to determine the permissions or authorizations granted to that identity for access to various physical and logical resources.

The authentication mechanisms in this section describe how to authenticate using the PIV Card directly. The authenticated identity can also be used to create an identity assertion as part of a federation protocol, as described in Section 7 and further specified in [SP 800-217].

6.1 PIV Assurance Levels

This Standard defines multiple levels of assurance for logical and physical access. Each assurance level establishes a degree of confidence that the presenter of the PIV Card is the person referred to by the PIV credential. The entity performing the authentication further establishes confidence that the person referred to by the PIV credential is a specific person identified through the rigor of the identity proofing process conducted prior to issuance of the PIV Card and the security of the PIV Card and issuance and maintenance processes specified in Section 2. The PIV identity proofing, registration, issuance, and maintenance processes meet1 the requirements for IAL3, as defined in [SP 800-63A].

The PIV Card contains a number of logical credentials that are used by the authentication mechanisms specified in Section 6.2. PIV assurance levels may vary depending on the PIV authentication mechanism used. The assurance levels for physical and logical access are specified in Section 6.3.1 and Section 6.3.2, respectively.

Parties responsible for controlling access to federal resources (both physical and logical) SHALL determine the appropriate assurance levels required for access based on the harm and impact to individuals and organizations that could occur as a result of errors in the authentication of the PIV cardholder. Once the required assurance level has been determined, one of the authentication mechanisms specified in Section 6.2 SHALL be applied to achieve that assurance level.

6.1.1 Relationship to Federal Identity Policy (Removed)

Note: This section was formerly entitled “Relationship to OMB’s E-Authentication Guidance.”

The content of this section has been removed since OMB [M-04-04] has been rescinded by OMB [M-19-17], which recognizes the IALs and AALs defined in NIST [SP 800-63] as the framework for managing digital identity risks within the Federal Government. The policy established by [HSPD-12] still applies under this new memorandum.

A mapping between PIV authentication mechanisms and SP 800-63 authenticator assurance levels can be found in Section 6.3.2.

6.2 PIV Card Authentication Mechanisms

The following subsections define the basic types of authentication mechanisms that are supported by the credential set hosted by the PIV Card application. PIV Cards can be used for authentication in environments that are equipped with contact or contactless card readers. The usage environment affects the PIV authentication mechanisms that may be applied to a particular situation.

6.2.1 Authentication Using Off-Card Biometric One-to-One Comparison

The PIV Card application hosts the fingerprint biometric templates, electronic facial image, and optional electronic iris images. These biometric data records can be read from the card following CTC authentication using a PIN supplied by the cardholder. The biometric data records are designed to support the CTE authentication mechanism through an off-card biometric one-to-one comparison scheme. The following subsections define two authentication mechanisms that make use of biometric data records.2

Some characteristics of the authentication mechanisms using biometric data are as follows:

6.2.1.1 Unattended Authentication Using Biometric Data (BIO)

The following steps SHALL be performed for unattended authentication using biometric data:

6.2.1.2 Attended Authentication Using Biometric Data (BIO-A)

In this higher assurance variant of BIO, an attendant (e.g., security guard) supervises the submission of the new biometric sample by the cardholder. Otherwise, the steps for this authentication mechanism are the same as in Section 6.2.1.1.

6.2.2 Authentication Using On-Card Biometric One-to-One Comparison (OCC-AUTH)

The PIV Card application MAY host an optional OCC algorithm. In this case, OCC data is stored on the card, which cannot be read from the card but could be used for biometric verification. A fingerprint biometric template is supplied to the card to perform CTC authentication, and the card responds with a positive or negative biometric verification decision. The response includes information that allows the reader to authenticate the card. Entry of the cardholder PIN is not required for OCC-AUTH. The PIV Card SHALL include a mechanism to block this authentication mechanism after a number of consecutive failed authentication attempts as stipulated by the department or agency. As with BIO and BIO-A, if agencies choose to implement OCC, it SHALL be implemented as defined in [SP 800-73] and [SP 800-76].

Some of the characteristics of OCC-AUTH are as follows:

6.2.3 Authentication Using PIV Asymmetric Cryptography

The PIV Card contains two mandatory asymmetric authentication private keys and corresponding certificates to support CTE authentication, as described in Section 4. The following subsections describe how to perform authentication using the authentication keys.

6.2.3.1 Authentication with the PIV Authentication Certificate Credential (PKI-AUTH)

The following steps SHALL be performed for PKI-AUTH:

Some of the characteristics of the PKI-based authentication mechanism are as follows:

6.2.3.2 Authentication with the Card Authentication Certificate Credential (PKI-CAK)

The following steps SHALL be performed for PKI-CAK:

Some of the characteristics of the PKI-CAK authentication mechanism are as follows:

6.2.3.3 Authentication Using Secure Messaging Key (SM-AUTH)

The PIV Card MAY include a secure messaging key and corresponding CVC to establish symmetric keys for use with secure messaging. The same key, CVC, and key establishment protocol can also be used for authentication, since the PIV Card is authenticated in the process of establishing secure messaging. Details of the SM-AUTH authentication mechanism are specified in [SP 800-73] and [SP 800-78].

Some of the characteristics of the secure messaging authentication mechanism are as follows:

6.2.4 Authentication Using the Symmetric Card Authentication Key (SYM-CAK) (Deprecated)

The symmetric card authentication key and associated SYM-CAK authentication mechanism are deprecated in this version of the Standard. Both the key and the authentication mechanism may be removed in a future version of this Standard.

If the symmetric card authentication key is present, it SHALL be used for PIV cardholder authentication using the following steps:

Some of the characteristics of the symmetric card authentication key authentication mechanism are as follows:

6.2.5 Authentication Using the CHUID (Removed)

The content of this section has been removed since the CHUID authentication mechanism is no longer allowed under FIPS-201.

The BIO, BIO-A, and the deprecated SYM-CAK authentication mechanisms use the CHUID data element as a source for the card’s expiration date. The CHUID data element also provides the content signing certificate for some authentication mechanisms and unique identifiers for PACS ACLs. Therefore, the CHUID data element remains a required on-card data element, as described in Section 4.2.1.

6.2.6 Authentication Using PIV Visual Credentials (VIS) (Deprecated)

Visual authentication of a PIV cardholder as a stand-alone authentication mechanism has been deprecated in this version of the Standard. The mechanism provides little or no assurance of the cardholder’s identity and SHOULD NOT be used. It is expected that the stand-alone use of visual authentication will be removed from this Standard in a future revision.

\clearpage

The PIV Card has several mandatory features on the front (see Section 4.1.4.1) and back (see Section 4.1.4.2) that support visual identification and authentication:

Zone 1F
Photograph
Zone 2F
Name
Zone 8F
Employee Affiliation
Zone 10F
Agency, Department, or Organization
Zones 14F and 19F
Card Expiration Date
Zone 15F
Color-Coding for Employee Affiliation
Zone 1B
Agency Card Serial Number
Zone 2B
Issuer Identification Number

In addition, any available security features described in Section 4.1.2 SHOULD be checked in a visual inspection to provide additional assurance that the PIV Card is genuine and unaltered.

The PIV Card may also have several optional components on the front (see Section 4.1.4.3) and back (see Section 4.1.4.4) that support visual identification and authentication, such as:

Zone 3F
Signature
Zone 11F
Agency Seal
Zone 5B
Physical Characteristics of Cardholder

When a cardholder attempts to pass through an access control point for a federally controlled facility, a human guard SHALL perform visual identity verification of the cardholder and SHALL determine whether the identified individual should be allowed through the control point. The following steps SHALL be applied in the visual authentication process:

Some characteristics of the visual authentication mechanism include the following:

6.3 PIV Support of Graduated Authenticator Assurance Levels

The PIV Card supports a set of authentication mechanisms that can be used to implement graduated assurance levels. The assurance levels used for remote/networked access within this Standard are closely aligned with NIST [SP 800-63], which specifies a digital identity risk management process that is cited by OMB [M-19-17].

The following subsections specify which PIV authentication mechanisms can be used to support various assurance levels described in this section. Two or more authentication mechanisms MAY be applied together to achieve additional assurance of the identity of the PIV cardholder. For example, PKI-AUTH and BIO may be applied in unison to achieve additional assurance of cardholder identity.

Adequately designed and implemented relying systems can achieve the PIV Card assurance levels stated in Section 6.3.1 for physical access and in Section 6.3.2 for logical access. Relying systems that are inadequately designed or implemented may only achieve lower assurance levels. The design of the components of relying systems—including card readers, biometric capture devices, cryptographic modules, and key management systems—involves many factors not fully specified by FIPS 201, such as correctness of the functional mechanism, physical protection of the mechanism, and environmental conditions at the authentication point. Additional standards and best practice guidelines (e.g., [SP 800-53], [FIPS 140], and [SP 800-116]) apply to the design and implementation of relying systems.

The authentication mechanisms described in the subsections below apply specifically to the use of PIV Cards for physical and logical access. Authentication mechanisms for physical and logical access using derived PIV credentials is described in [SP 800-157].

6.3.1 Physical Access

The PIV Card can be used to authenticate the cardholder in a physical access control environment using the authentication mechanisms described in Section 6.2. Each authentication mechanism provides a degree of assurance, as summarized in Table 6-1, based on its characteristics outlined in Section 6.2.

Table 6-1. PIV Authentication Mechanisms for Physical Access

PIV Authentication Mechanism Assurance Provided
PKI-CAK Some confidence in the asserted identity
SM-AUTH Some confidence in the asserted identity
BIO Medium confidence in the asserted identity
BIO-A High confidence in the asserted identity
OCC-AUTH High confidence in the asserted identity
PKI-AUTH High confidence in the asserted identity
VIS (deprecated) Little or no confidence in the asserted identity
SYM-CAK (deprecated) Some confidence in the asserted identity

Each PIV authentication mechanism provides one or two factors of authentication. The mechanisms can be combined7 to achieve up to three authentication factors (e.g., to access exclusion security areas). The number of factors afforded by each authentication mechanism and the required factors to access the controlled, limited, or exclusion security areas are further detailed in [SP 800-116].

The selection of authentication assurance levels SHALL be made in accordance with the applicable policies for a facility’s security level [RISK-MGMT-FACILITIES]. Additional guidelines for the selection and use of PIV authentication mechanisms for facility access can be found in NIST [SP 800-116].

6.3.2 Logical Access

The PIV Card can be used to authenticate the cardholder in support of decisions regarding access to logical information resources. For example, a cardholder may authenticate to their department or agency network using the PIV Card; the identity established through this authentication process can be used to determine access to information systems and applications available on the network.

Table 6-2 lists the authentication mechanisms defined for this Standard to support logical access control for remote/networked access. An authentication mechanism that is suitable for a higher assurance level can also be applied to meet the requirements for a lower assurance level.

Table 6-2. PIV Authentication Mechanisms for Remote/Network Access

PIV Authentication Mechanism Supported Authenticator Assurance Level
PKI-CAK AAL1
PKI-AUTH AAL3

The [SP 800-63] defined authenticator assurance levels are not specified for local authentication use cases (i.e., authentication to a resource co-located with the cardholder). Nevertheless, the PIV authentication mechanisms provide for graduated levels of authentication assurance for local authentication use cases based on their characteristics outlined in Section 6.2. The assurance provided by each of the PIV authentication mechanisms for local authentication use cases is summarized in Table 6-3.

Table 6-3. PIV Authentication Mechanisms for Local Workstation Access

PIV Authentication Mechanism Assurance Provided
PKI-CAK Some confidence in the asserted identity
BIO Medium confidence in the asserted identity
BIO-A High confidence in the asserted identity
OCC-AUTH High confidence in the asserted identity
PKI-AUTH High confidence in the asserted identity
  1. As described in Section 2.7, compensating controls can be applied for identity source document evidence to achieve IAL3 since the Standard only specifies one piece of Strong evidence and one other piece of Fair evidence. Issuance of PIV Card meets IAL3 since the federal background investigation serves as a comparable compensating control for IAL3 identity proofing. 

  2. As noted in Section 4.2.3.1, fingerprint biometric templates are not guaranteed to contain biometric characteristic data since it may not be possible to collect fingerprints from some cardholders. Additionally, electronic iris images are not guaranteed to be present on a PIV Card since iris biometric capture is optional. When biometric verification cannot be performed, PKI-AUTH is the recommended alternate authentication mechanism. 

  3. The PIV authentication certificate or card authentication certificate may be used instead of the CHUID to verify that the card is not expired. 

  4. The policy OID for the PIV authentication certificate is id-fpki-common-authentication

  5. The policy OID for the card authentication certificate is id-fpki-common-cardAuth

  6. The PIV authentication certificate or card authentication certificate may be leveraged instead of the CHUID to verify that the card is not expired. 

  7. Combinations of authentication mechanisms are specified in [SP 800-116]