FIPS-201 Improvements Reviewed

By: Brian Rhodes, Published on Jul 19, 2012

A new version of FIPS-201 is being introduced, but does the update make it more relevant to the physical security industry? To a large extent, FIPS-201 has been responsible for issuing large numbers of new credential cards, but has failed to change physical access control systems. Does the update rectify this? In this note, we examine the draft update and analyze what it means for the physical security industry.

Key Changes

One of FIPS-201's coauthors, the National Institute of Standards and Technology (NIST), has hosted several webinars and events circulating the revised standard, named FIPS-201-2. We joined one webinar in a series hosted by NIST that discuss the proposed changes with public participants, and while no agenda or minutes of that webinar were published, we cover the pieces most relevant to physical security below:

  • Credentials can be issued for 6 years, instead of 5.
  • Guidelines for implementing biometrics (fingerprints) into PIV cards are now included.
  • Guidelines for introducing 'E-Authentication' on cellphones or other flexible electronic devices are now included.
  • The physical access FIPS-201 compliant products is limited to a handful of vendors due to poor specifications

While the full impact of proposed changes to existing credential process is being evaluated, the draft changes do not obsolete any currently issued credentials.

History of Update: When FIPS 201 was initially introduced in 2005, its focus was predominantly on standardizing Logical Access credentials first. Supporting the standardization of Physical Access credentials fall under FIPS-201 scope, but the vastness of the effort has delayed much tangible focus. As a result, the importance/implementation of FIPS-201 has been mixed on the physical access side, and to date has primarily focused on issuing new 'PIV compliant' credentials. This update bridges some of the gaps on the Physical Access side by providing guidelines on how to properly issue and administrate biometric and electronic credentials.

Biometrics: This draft tightens up biometrics implementation by describing how they are used in '3 factor' verification, which the standard describes as:

  • "Something You Know": Personal ID Number
  • "Something You Have": Provisioned Access or Clearance by Higher Authorities
  • "Something You Are": Biometric Information, like Fingerprint Scan Information

The draft standard requires at least two fingerprint scans for biometric analysis. While the standard also mentions a 'facial image', this conveys a picture image and not iris or facial biometric scans. New biometric information is to be collected every time a PIV credential is issued, which is a maximum of 6 years.

E-Authentication: The revised standard opens the door for potential NFC style PIV credentials. While the standard does not specifically identify NFC technology, a new section mirroring OMB's 'E-Authentication Guidance' standard is included. This proposed authentication methods include guidelines for issuing E-Credentials with 'Very High Confidence', meaning that the highest level of credential can be extended to this technology.


Poor Specification means No Products: During the session, a physical security member criticised the standard, claiming the difficulty manufacturers face when designing FIPS 201 compliant products. The member point out, and the panel validated, that the 'approved product list' for FIPS 201 is limited to only a few vendors. Because the specification is difficult to interpret for many manufacturers, they choose to avoid designing compliant products. Consensus that better design specifications need to be published in order for many physcial security companies to 'enter the game'.

Market Impact

The update does little to change to current implementation of FIPS-201, and requires no new additional equipment or credentials. It does however, expand the current standard to include emerging credentials technologies like NFC. While this new standard has yet to be formally approved, it does not appear to substantially change physical access systems.

Standardizing FIPS-201 between logical and physical access control remains a huge obstacle, apparently to be addressed by future updates. While the overarching guidelines supporting new technology are helpful, this draft does nothing to bridge the gap between logical access and physical access control systems. We expect this change to be received as a minor update by physical security managers and executives.

1 report cite this report:

TWIC Access Credentials Under Fire on Oct 20, 2014
One of the biggest credential formats in the US is barely hanging on. With over 3 million TWIC cards issued, it is one of the most common ID...
Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

ZK Teco Atlas Access Control Tested on Aug 20, 2019
Who needs access specialists? China-based ZKTeco claims its newest access panel 'makes it very easy for anyone to learn and install access control...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...
ProdataKey (PDK) Access Company Profile on Aug 09, 2019
 Utah based ProdataKey touts low cost cloud access, wireless controllers, and no dealer required national distribution availability.  But how does...
Axis Door Station A8207-VE Tested on Aug 07, 2019
Axis newest door station, the A8207-VE, claims to deliver "video surveillance, two-way communication, and access control" in a single device. But...
Mobile Access Control Shootout - Farpointe, HID, Openpath, Nortek, Proxy on Jul 29, 2019
One of the biggest rising trends in access control is using phones as credentials but which offering is best? IPVM has tested five of the...
Responsibility Split Selecting Locks - Statistics on Jul 22, 2019
A heated access debate surrounds who should pick and install the locks. While responsible for selecting the control systems, integrators often...
Mobile Access Usage Statistics 2019 on Jul 18, 2019
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can arise for installers. In fact, one of the most difficult reader...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use approach to access', but our testing uncovered security problems and...

Most Recent Industry Reports

Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Verkada People And Face Analytics Tested on Aug 16, 2019
This week, Verkada released "People Analytics", including face analytics that they describe is a "game-changing feature" that "pushes the...
Dahua OEM Directory 2019 on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Installation Course - Register Now on Aug 15, 2019
Register Now for the September 2019 Video Surveillance Install Course. This is a unique installation course in a market where little practical...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Hikvision Scrutinized In The Netherlands on Aug 15, 2019
Hikvision is facing unprecedented scrutiny in the Netherlands, at the same time the US government ban has taken effect. This week, a Dutch...
Axis 4K Camera Shootout 2019 on Aug 14, 2019
Axis' 4K Q3518-LVE claims the "best video quality possible", with Lightfinder super low light performance, Axis' high end Forensic WDR, and...
CheckMySystems Company Profile on Aug 14, 2019
CheckMySystems says that too many users respond, "I get an email when something is wrong" when talking about their video system maintenance plan,...
Hikvision OEM Directory on Aug 13, 2019
The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact