Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Eye Scans Meet Federal ID Cards

National Institute for Standards and Technology ruling gives government agencies the option to use use iris scans instead of fingerprints to identify card holder.

10 Space Technologies That Help On Earth
10 Space Technologies That Help On Earth
(click image for slideshow)
The National Institute for Standards and Technology (NIST) has released new guidelines that broaden the options for verifying individuals using biometric identification methods. By adding iris images and on-card fingerprint comparison to Personal Identity Verification (PIV) cards, federal agencies could achieve "stronger security and greater operational flexibility," NIST said.

The guidelines, published on Friday, say that agencies may add iris images as an alternate to fingerprints. According to NIST, collecting fingerprints can be difficult in instances where fingers are too dry to produce a good image, lotions are used, or skin is wounded. Images of one or both irises -- compact at no more than 3 kilobytes each -- can be loaded on the PIV card for faster reading times. The document includes specifications for iris biometrics and iris cameras to ensure interoperability across agencies using iris recognition technology.

The guidelines also explain how to place one or two compact fingerprint templates and a recognition algorithm on the card. This identification method can be used when an employee is signing a document digitally or opening a secure file.

[ These mobile apps from the government are must haves. Read 10 Helpful Apps From Uncle Sam. ]

NIST provided an example of a person placing his finger on a reader attached to a keyboard for confirmation of identity, versus typing in a personal identification number (PIN). During an authentication attempt, the templates can be compared on the reader device. The cardholder must enter a PIN number to release the templates, thereby meeting Federal Information Processing Standards (FIPS) for the multi-factor authentication.

The new provision expands the options for agencies issuing PIV cards, which are used by federal employees and contractors to access government facilities and computer networks. A PIV card typically includes a photo, fingerprint information, personal identification number (PIN) and a cryptographic credential, which is computer-generated data recognized only by the PIV system.

The new guidelines are the latest in a move to PIV mandated by Homeland Security Presidential Directive 12 (HSPD 12), a federal cybersecurity initiative the government created to increase security and efficiency and reduce identity fraud. NIST drafted specifications for biometric ID cards in April 2011 to include a clause that would require the use of iris scanning if fingerprinting was problematic.

NIST has come under fire for taking too long to create a standard for the use of iris images in federal identity cards. During a June 19 hearing of the House Oversight and Government Reform subcommittee on government operations, Charles Romine, director of NIST's Information Technology Lab, was questioned by subcommittee chairman John Mica (R-Fla.) about the absence of technical guidance for federal agencies. Mica cited testimony from Romine’s predecessor, Cita Furlani, who promised in 2011 that the standard would be ready within months. She retired shortly after without delivering on the promise.

In a related effort, NIST and the Department of Homeland Security's (DHS) Science and Technology Directorate are working on a publication that will define both optical imaging specifications and test methods for iris cameras.

"The iris standard can support PIV authentication and other uses, such as e-passports," NIST's biometric testing project leader Patrick Grother said in a written statement. "More importantly, the iris standard ensures that the iris data is interoperable, that is, it can be exchanged easily between cameras and readers from different makers and across the world."

In May, the DHS issued a request for proposals in an effort to upgrade to a new smart-card system that incorporates advanced technology. The 10-year, $99.5 million plan seeks to replace 61,924 PIV cards in 2013 and 116,172 cards in 2014. The winning contractor will be responsible for issuing and managing approximately 300,000 cards. The DHS included iris recognition as one of the implementation requirements, particularly iris capture, storage and matching.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...