Federal agencies in the U.S. have begun issuing a secure form of government-wide ID known as Personal Identity Verification (PIV) cards. Unlike conventional ID cards (known as "physical access control systems" or PACS), PIV cards are intended to interoperate between government agencies. In addition, ID cards need to verify the cardholder's identity with an appropriate degree of confidence (denoted SOME, HIGH, OR VERY HIGH), depending upon the level of security needed at the particular location in the federal facility. Current PACS, however, may not be tailored to work at these graduated levels of "authentication assurance."
A draft report entitled A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) prepared by the NIST's Computer Security Resource Center explains methods for verifying identity in a model describing four zones of increasing security in a facility. The zones are unrestricted (e.g., outside the fence or walls of the facility), controlled (e.g., inside the fence or front door), limited (e.g., past a security checkpoint for employees in a facility), and exclusion (secure areas granted to individuals for specific needs). The report specifies increasingly sophisticated authentication mechanisms for these zones, from visual and CHUID authentication (inspection of the features on the front and back of the PIV card and reading a unique number from the card) to biometrics (for example, the use of distinguishing features in fingerprints) and PKI Authentication (exchange of cryptographic information that requires users to enter PINs).
