First of a three-part series

By Mohammed Murad

The 2001 9/11 terrorist attacks on the U.S. forever changed how U.S. government agencies look at day-to-day operations. Security became top of mind, with improvements to access control drawing significant attention.

Necessary improvements to access control weren’t limited to airports, where the terrorists initiated their attacks. Officials also wanted to strengthen the identification and authentication of employees accessing office buildings and even individual workstations and printers.

In 2004, then-President George W. Bush issued Homeland Security Presidential Directive 12 (HSPD-12), calling on agencies to create a strong credential to replace the hodgepodge of access card protocols in use. The creation of a Common Access Card (CAC) began with federal employees undergoing thorough background checks conducted by the Department of Defense, FBI and other government agencies. Cleared workers would receive a CAC inextricably linked to the individual cardholder using a biometric measurement embedded into each card.

The federal National Institute for Standards and Technology was charged with developing the necessary technology to make the plan work, including interoperability among federal organizations using the new standards. NIST called upon the expertise of leading access control manufacturers to assist in the process.

What’s in PIV?

The effort resulted in credentials roughly the size of a standard credit card. An embedded circuit chip provides data storage and memory that enables rapid authentication, enhanced security and logical access. Each Personal Identity Verification (PIV) card contains Public Key Infrastructure (PKI) certificates allowing cardholders to sign documents virtually, encrypt and decrypt emails and establish a network connection.

The chip also stores two digital fingerprints, a digital photo, a verification certificate, demographic information such as the cardholder’s name, date of birth, personnel category and card expiration date. A magnetic stripe on the back is reserved for use by individual agencies. Each cardholder also receives a Personal Identification Numbers (PINs) for added security.

Card readers mounted at doors, parking facilities, elevators, workstations and other locations compare a finger biometric with the digital template stored on the credential. Restrictions limit access to specific areas of agency facilities. The addition of the biometric virtually eliminates the possibility of a non-authorized person using a lost, stolen or borrowed credential.


Other The nation’s 361 ports, most operated by local agencies or private organizations, are considered vital to the nation’s physical and economic security. That’s why the federal Maritime Transportation Act extended the PIV concept to port employees, who now carry access cards known as Transportation Worker Identification Credentials (TWIC).

Today, about 5 million federal employees and contractors carry PIV cards. Private manufacturers have developed hundreds of government-approved products ranging from cards and readers to command centers. Yet, despite the tremendous progress made in the design and use of PIVs, full deployment throughout the federal government has been bumpy. On the positive side, newer technologies promise to improve the existing credentialing system.

We’ll have more soon on the current implementation and future of the government’s access control program.

(Mohammed Murad is vice president, global development and sales for Iris ID, a global provider of iris recognition solutions. IrisAccess® is the world’s leading deployed iris recognition platform and is used in thousands of locations, authenticating millions of people’s identities daily.)