FIPS-201 Improvements Reviewed

By: Brian Rhodes, Published on Jul 19, 2012

A new version of FIPS-201 is being introduced, but does the update make it more relevant to the physical security industry? To a large extent, FIPS-201 has been responsible for issuing large numbers of new credential cards, but has failed to change physical access control systems. Does the update rectify this? In this note, we examine the draft update and analyze what it means for the physical security industry.

Key Changes

One of FIPS-201's coauthors, the National Institute of Standards and Technology (NIST), has hosted several webinars and events circulating the revised standard, named FIPS-201-2. We joined one webinar in a series hosted by NIST that discuss the proposed changes with public participants, and while no agenda or minutes of that webinar were published, we cover the pieces most relevant to physical security below:

  • Credentials can be issued for 6 years, instead of 5.
  • Guidelines for implementing biometrics (fingerprints) into PIV cards are now included.
  • Guidelines for introducing 'E-Authentication' on cellphones or other flexible electronic devices are now included.
  • The physical access FIPS-201 compliant products is limited to a handful of vendors due to poor specifications

While the full impact of proposed changes to existing credential process is being evaluated, the draft changes do not obsolete any currently issued credentials.

History of Update: When FIPS 201 was initially introduced in 2005, its focus was predominantly on standardizing Logical Access credentials first. Supporting the standardization of Physical Access credentials fall under FIPS-201 scope, but the vastness of the effort has delayed much tangible focus. As a result, the importance/implementation of FIPS-201 has been mixed on the physical access side, and to date has primarily focused on issuing new 'PIV compliant' credentials. This update bridges some of the gaps on the Physical Access side by providing guidelines on how to properly issue and administrate biometric and electronic credentials.

Biometrics: This draft tightens up biometrics implementation by describing how they are used in '3 factor' verification, which the standard describes as:

  • "Something You Know": Personal ID Number
  • "Something You Have": Provisioned Access or Clearance by Higher Authorities
  • "Something You Are": Biometric Information, like Fingerprint Scan Information

The draft standard requires at least two fingerprint scans for biometric analysis. While the standard also mentions a 'facial image', this conveys a picture image and not iris or facial biometric scans. New biometric information is to be collected every time a PIV credential is issued, which is a maximum of 6 years.

E-Authentication: The revised standard opens the door for potential NFC style PIV credentials. While the standard does not specifically identify NFC technology, a new section mirroring OMB's 'E-Authentication Guidance' [link no longer available] standard is included. This proposed authentication methods include guidelines for issuing E-Credentials with 'Very High Confidence', meaning that the highest level of credential can be extended to this technology.

Criticism

Poor Specification means No Products: During the session, a physical security member criticised the standard, claiming the difficulty manufacturers face when designing FIPS 201 compliant products. The member point out, and the panel validated, that the 'approved product list' for FIPS 201 is limited to only a few vendors. Because the specification is difficult to interpret for many manufacturers, they choose to avoid designing compliant products. Consensus that better design specifications need to be published in order for many physcial security companies to 'enter the game'.

Market Impact

The update does little to change to current implementation of FIPS-201, and requires no new additional equipment or credentials. It does however, expand the current standard to include emerging credentials technologies like NFC. While this new standard has yet to be formally approved, it does not appear to substantially change physical access systems.

Standardizing FIPS-201 between logical and physical access control remains a huge obstacle, apparently to be addressed by future updates. While the overarching guidelines supporting new technology are helpful, this draft does nothing to bridge the gap between logical access and physical access control systems. We expect this change to be received as a minor update by physical security managers and executives.

1 report cite this report:

TWIC Access Credentials Under Fire on Oct 20, 2014
One of the biggest credential formats in the US is barely hanging on. With over 3 million TWIC cards issued, it is one of the most common ID...
Comments : PRO Members only. Login. or Join.

Related Reports

Access Control Course Fall 2019 - Last Chance on Oct 17, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
2020 Access Control Book Released on Dec 19, 2019
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
HID Launches Origo To Fix Mobile Credential Problems on Feb 05, 2019
HID is releasing Origo, an overhaul of its mobile credential platform, this time drastically restructuring the way it is priced and packaged. HID's...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe. They have already released their Gatekeeper Halberd...
OSDP Access Control Guide on Jun 04, 2019
Access control readers and controllers need to communicate. While Wiegand has been the de facto standard for decades, OSDP aims to solve major...
Poor OSDP Usage Statistics 2019 on Jul 09, 2019
OSDP certainly offers advantages over decades-old Wiegand (see our OSDP Access Control Guide) but new IPVM statistics show that usage of OSDP, even...
Mobile Access Usage Statistics 2019 on Jul 18, 2019
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new...
Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Access Control Time & Attendance Guide on Sep 24, 2019
Access control systems can do more than lock doors. With little or no extra equipment, they can be used to track labor hours for employees...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...

Most Recent Industry Reports

Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...
Intersec 2020 Final Show Report on Jan 21, 2020
IPVM spent all 3 days at the Intersec 2020 show interviewing various companies and finding key trends. We cover: Middle East Enterprise...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...
Clearview AI Alarm - NY Times Report Says "Might End Privacy" on Jan 20, 2020
Over the weekend, the NY Times released a report titled "The Secretive Company That Might End Privacy as We Know It" about a company named...
Favorite Camera Manufacturers 2020 on Jan 20, 2020
The past 2 years of US bans and sanctions have shaken the video surveillance industry but what impact would this have on integrators' favorite...
"Severely Impacted" Mercury Security 2020 Leap Year Firmware Issue on Jan 17, 2020
One of the largest access controller manufacturers has a big problem: February 29th. Mercury Security, owned by HID, is alerting partners of the...