Home » Identity & Access » Access Control

HSPD-12: United States of Access Control

A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?

Within six months of being signed, that two-page directive turned into hundreds of pages of instructions, the centerpiece of which was created by the National Institute of Standards and Technology (which is part of Commerce). This standard is called the Federal Information Processing Standard 201, Personal Identity Verification of Federal Employees and Contractors. It's referred to as FIPS 201.

The standard is split into two parts. The first part is supposedly the easy part. It establishes processes for making sure that identification is issued only to individuals who have met certain requirements, like having a background check done. The idea is that if these processes are standardized, it will be easier for one agency to trust a card issued by another.

The second part of FIPS 201 is more complicated. It is the technical part of the standard and establishes smart cardswhich contain a microprocessor that can both store and process dataas the new form of identification. Part two of FIPS 201 lays out not only the physical format of the credit card-sized cards but also cryptographic, biometric and card reader specifications. It contains what seems like an impossible level of detail about the cards, right down to font size (5 pt., 6 pt. and 10 pt.).

You'd be crazy to know any more about FIPS 201 than you have to, but a few components are key:

1. The cards must be capable of being read in two ways: with a "contactless" reader and a "contact" reader, both of which must meet International Organization for Standardization (ISO) standards. The contactless reader is intended for situations where speed is keyto allow cardholders to pass quickly through, say, the main entrance to a building without creating long lines. The contact reader is intended for higher-security applications where speed is less important and there's time for the card to be physically inserted.

2. The cards must contain a biometric componentin addition to a photograph, templates of two fingerprints. However, these templates must be available only when the card is physically inserted into a reader and the cardholder punches in a PIN. This setup assuages privacy concerns about, say, the image of a fingerprint being stolen from someone's card as he walks by. It also means that in any situation where biometrics are used, there is three-factor authentication: something the individual has (the card), something he knows (the PIN) and something that's part of him (a fingerprint).

3. The cards must contain a unique identifier. Remember, up until now, each agencyand usually, each location of each agencywas on its own for issuing access cards. The new smart cards will eventually be rolled out to millions of federal employees and contractors. For the systems to keep cardholders straight, each card must contain a credential number, a digital signature and an expiration date.