Risk
4/19/2011
12:19 PM
Connect Directly
RSS
E-Mail
50%
50%

Federal Biometric ID Cards Get Iris Scan Option

National Institute for Standards and Technology has revised specifications for the proposed federal employee and contractor authentication system, including a new option to fingerprinting.

Government Innovators
Slideshow: Government Innovators
(click image for larger view and for full slideshow)
Biometric ID cards being developed for federal employees and contractors may include iris scanning in addition to fingerprinting, according to updated specifications released by the federal organization for IT standards.

A new draft of Special Publication 800-76-2 by the National Institute of Standards and Technology (NIST) includes a clause that would require the use of iris scanning as biometric identification if a person doesn't have fingerprints or if fingerprinting is problematic, according to the document.

The document includes specifications for iris images stored both on and off the personal identity verification (PIV) cards people will use to confirm their identity; for iris capture devices; for the semantic properties of an iris image; for an iris image capture interface; and for an iris recognition interface.

The new draft also includes specifications for an option agencies have to add an algorithm that would provide on-card comparison of fingerprints rather than requiring a personal identification number (PIN) when checking someone's credentials.

The original set-up for the system required a cardholder to enter a PIN number to check card credentials against a card reader. The new draft allows for agencies to choose to include an algorithm on the card that would eliminate the need for PIN entry to check credentials, according to the new draft.

Specifications for the on-card option support an earlier draft outlining the specifics of the federal PIV system, FIPS 201-2, which was released March 8.

That document "does not require PIN entry ahead of a fingerprint minutiae on-card comparison transaction" and "extends on-card comparison as an alternative to PIN entry in altering the state of the PIV card," according to Special Publication 800-76-2.

The federal government is developing biometric ID cards as mandated by Homeland Security Presidential Directive 12. The directive is aimed at increasing security and efficiency, reducing identity fraud, cutting costs, and protecting personal privacy by requiring biometric identification for all federal employees and contractors when entering federal facilities or IT networks and systems.

Cybersecurity is a chief concern of the federal government, and the biometric identity system is one of many steps it's taking to provide more security both internally and externally.

The new draft is open for public comment until May 22. People can submit comments to NIST by emailing patrick.grother@nist.gov.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.