FIPS-201 Improvements Reviewed

Author: Brian Rhodes, Published on Jul 19, 2012

A new version of FIPS-201 is being introduced, but does the update make it more relevant to the physical security industry? To a large extent, FIPS-201 has been responsible for issuing large numbers of new credential cards, but has failed to change physical access control systems. Does the update rectify this? In this note, we examine the draft update and analyze what it means for the physical security industry.

Key Changes

One of FIPS-201's coauthors, the National Institute of Standards and Technology (NIST), has hosted several webinars and events circulating the revised standard, named FIPS-201-2. We joined one webinar in a series hosted by NIST that discuss the proposed changes with public participants, and while no agenda or minutes of that webinar were published, we cover the pieces most relevant to physical security below:

  • Credentials can be issued for 6 years, instead of 5.
  • Guidelines for implementing biometrics (fingerprints) into PIV cards are now included.
  • Guidelines for introducing 'E-Authentication' on cellphones or other flexible electronic devices are now included.
  • The physical access FIPS-201 compliant products is limited to a handful of vendors due to poor specifications

While the full impact of proposed changes to existing credential process is being evaluated, the draft changes do not obsolete any currently issued credentials.

History of Update: When FIPS 201 was initially introduced in 2005, its focus was predominantly on standardizing Logical Access credentials first. Supporting the standardization of Physical Access credentials fall under FIPS-201 scope, but the vastness of the effort has delayed much tangible focus. As a result, the importance/implementation of FIPS-201 has been mixed on the physical access side, and to date has primarily focused on issuing new 'PIV compliant' credentials. This update bridges some of the gaps on the Physical Access side by providing guidelines on how to properly issue and administrate biometric and electronic credentials.

Biometrics: This draft tightens up biometrics implementation by describing how they are used in '3 factor' verification, which the standard describes as:

  • "Something You Know": Personal ID Number
  • "Something You Have": Provisioned Access or Clearance by Higher Authorities
  • "Something You Are": Biometric Information, like Fingerprint Scan Information

The draft standard requires at least two fingerprint scans for biometric analysis. While the standard also mentions a 'facial image', this conveys a picture image and not iris or facial biometric scans. New biometric information is to be collected every time a PIV credential is issued, which is a maximum of 6 years.

E-Authentication: The revised standard opens the door for potential NFC style PIV credentials. While the standard does not specifically identify NFC technology, a new section mirroring OMB's 'E-Authentication Guidance' standard is included. This proposed authentication methods include guidelines for issuing E-Credentials with 'Very High Confidence', meaning that the highest level of credential can be extended to this technology.


Poor Specification means No Products: During the session, a physical security member criticised the standard, claiming the difficulty manufacturers face when designing FIPS 201 compliant products. The member point out, and the panel validated, that the 'approved product list' for FIPS 201 is limited to only a few vendors. Because the specification is difficult to interpret for many manufacturers, they choose to avoid designing compliant products. Consensus that better design specifications need to be published in order for many physcial security companies to 'enter the game'.

Market Impact

The update does little to change to current implementation of FIPS-201, and requires no new additional equipment or credentials. It does however, expand the current standard to include emerging credentials technologies like NFC. While this new standard has yet to be formally approved, it does not appear to substantially change physical access systems.

Standardizing FIPS-201 between logical and physical access control remains a huge obstacle, apparently to be addressed by future updates. While the overarching guidelines supporting new technology are helpful, this draft does nothing to bridge the gap between logical access and physical access control systems. We expect this change to be received as a minor update by physical security managers and executives.

1 report cite this report:

TWIC Access Credentials Under Fire on Oct 20, 2014
One of the biggest credential formats in the US is barely hanging on. With over 3 million TWIC cards issued, it is one of the most common ID...
Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...
Directory Of Video Doorbells on Nov 06, 2018
Video doorbells are one of the fastest growing categories in video surveillance, especially among residences. The optimal placement of these...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
Worst Products on Nov 03, 2018
Security integrators periodically report on their favorite and worst products to IPVM. These are known integrators who IPVM pays to answer surveys....
Solar-Powered, Smart-Phone-Based Access Kit (VIZPin) Examined on Nov 02, 2018
Cloud-based access control company VIZPin is releasing a solar-powered and smart phone based access control system for gates and other remote...
Building Occupancy Codes and Access Control Tutorial on Nov 01, 2018
A building or room's classification can greatly impact which building codes must be followed. In terms of access control, these 'occupancy codes'...
Resideo IPOs, Then Plunges on Oct 31, 2018
ADI and Honeywell Homes management have been touting their spinout and IPO for months, including appearing on Wall Street as they widely shared on...

Most Recent Industry Reports

'Sticker' Surveillance Camera Developed (CSEM Witness) on Nov 16, 2018
The Swiss Center for Electronics and Microtechnology (CSEM) has announced what it calls the: world’s first fully autonomous camera that can be...
ISC East 2018 Mini-Show Final Report on Nov 16, 2018
This is our second (updated) and final show report from ISC East. ISC East, by its own admission, is not a national or international show, billed...
Facial Detection Tested on Nov 16, 2018
Facial detection and recognition are increasingly offered by video surveillance manufacturers. Facial detection detects faces in an image/video...
Throughtek P2P/Cloud Solution Profile on Nov 15, 2018
Many IoT manufacturers either do not have the capabilities or the interest to develop their own cloud management software for their devices....
ASIS Offering Custom Research For Manufacturers on Nov 15, 2018
Manufacturers often want to know what industry people think about trends and, in particular, the segments and product they offer.  ASIS and its...
Hikvision Silent on "Bad Architectural Practices" Cybersecurity Report on Nov 14, 2018
A 'significant vulnerability was found in Hikvision cameras' by VDOO, a startup cybersecurity specialist. Hikvision has fixed the specific...
French Government Threatens School with $1.7M Fine For “Excessive Video Surveillance” on Nov 14, 2018
The French government has notified a high-profile Paris coding academy that it risks a fine of up to 1.5 million euros (about $1.7m) if it...
Integrator Credit Card Alternative Divvy on Nov 13, 2018
Most security integrators are small businesses but large enough that they have various employees that need to be able to expense various charges as...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact