Problem solve Get help with specific problems with your technologies, process and projects.

How will HSPD-12 affect authentication?

HSPD-12, signed in 2004, has called for standardized access to government facilities. In this expert Q&A, Joel Dubin reviews the mandate and states how it could impact today's authentication methods.

How will the government's Homeland Security Presidential Directive-12 mandate affect authentication?
The Homeland Security Presidential Directive-12 (HSPD-12) was designed to standardize physical access to government facilities. President George W. Bush signed the directive in 2004 in an effort to eliminate the current hodgepodge of different systems that government employees used to get into their offices.

The program is supposed to eventually create a standardized ID badge for all government employees, but is currently only in a pilot stage for selected facilities around the country. The badge is supposed to be tamperproof and not susceptible to counterfeiting.

The badge is essentially a smart card that contains a photo and biometric information, or in this case, a fingerprint, from the user. In addition, users will need to enter a PIN number into the device where they insert the card. The system is a textbook three-factor authentication system. It consists of something you know (the PIN), something you have (the card) and something you are (the fingerprint).

Optionally, any system meeting the standard can also support public key infrastructure (PKI) and digital certificates (DC).

Although the HSPD-12 directive states it also covers logical access to IT systems -- since technologically speaking, physical and logical access is slowly converging -- the current rollout is only for physical access to federal sites.

With that in mind, there might not be an immediate impact on authentication. However, you can expect that the same three-factor authentication system and smart card will be needed to access government IT systems down the road; probably within the next five years.

For specific information, consult the Federal Information Processing Standard Publication 201 (FIPS 201) on the National Institute of Technology Web site, which details implementing the HSPD-required Personal Identity Verification (PIV) cards.

More information:

  • Make sure your smart cards are tamper-proof.
  • Learn about other infosec-related regs.
  • This was last published in December 2006

    Dig Deeper on Two-factor and multifactor authentication strategies

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.