Alliance Activities : Publications : Authentication Mechanisms for PACS

Authentication Mechanisms for Physical Access Control Systems

Publication Date: October 2009

In December 2003, the Office of Management and Budget (OMB) issued M-04-04, “E- Authentication Guidance for Federal Agencies.” Subsequently, the E-Authentication Initiative (EAI) was established to assist agencies in their efforts to develop trust relationships with their user communities through the use of electronic identity credentials. Homeland Security Presidential Directive 12 (HSPD-12), signed in August 2004, set the policy for a common identification standard for Federal employees and for contractors who are conducting business with Federal agencies and who require access to physical and information technology (IT) resources. In February 2005, in response to HSPD-12, the National Institute of Standards and Technology (NIST) Computer Security Division developed Federal Information Processing Standard (FIPS) 201 Personal Identity Verification (PIV) of Federal Employees and Contractors, and, subsequently, Special Publication (SP) 800 73-1 and SP 800 73-2, Interfaces for Personal Identity Verification, to define the technical requirements and specifications for a common identity credential. These identity credentials are referred to as personal identification verification (PIV) cards.

The EAI provides the capability for any government agency to validate an electronic identity credential to authenticate an individual’s identity before that individual is granted access to IT or physical resources. To accomplish this, the PIV card incorporates multiple technologies that, in combination, establish a level of trust in both the individual’s claimed identity and the validity of the credential itself. The process relies on possession of the PIV card, methods that bind the credential to an individual through biometric verification, and special knowledge (a personal identification number (PIN)). Authentication and validation are accomplished using cryptography and public key infrastructure (PKI) to validate the PIV certificate to a certificate authority (CA). The validation process is accomplished according to a common, federated identity model that defines both the policy and the technical infrastructure for identity management.

Applying these electronic identity credentials to a physical access control system (PACS) requires both technical infrastructure and guidance policies. HSPD-12, FIPS 201, NIST SP 800-73, and NIST SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), are examples of the regulatory and guidance framework that are required for successful implementation of a project of this magnitude.

SP 800-116, published in November 2008, provides useful guidance on where to deploy the various PIV authentication mechanisms. However, a number of scenarios are not covered. Local security authorities are left with unanswered questions when faced with legacy technologies and occasionally conflicting regulations. This document highlights some of these situations and suggests some additional authentication mechanisms for security authorities to consider.

The white paper describes:

About the Physical Access Council

The Smart Card Alliance Physical Access Council is focused on accelerating widespread acceptance, use, and application of smart card technology for physical access control. The Council brings together leading users and technologists from both the public and private sectors in an open forum and works on activities that are important to the physical access industry and address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software, and reader vendors; physical access control system vendors; and integration service providers.

Physical Access Council members involved in the development of this white paper included: AMAG Technology, CSC, Diebold, Gemalto, Hirsch Electronics, HP Enterprise Services, Identification Technology Partners, IDmachines, JMF Solutions, LLC, Roehr Consulting, XTec, Inc.