NIST readies new standards for biometric ID cards


Federal agencies looking to incorporate iris recognition authentication add-on capabilities to their Personal Identity Verification cards will soon get some expert help from the National Institute of Standards and Technology.

In July, NIST is set to release a key biometric reference that federal and federal contractors can use to develop identification cards under the Federal Information Processing Standard 201 (FIPS-201), Personal Identity Verification.

Charles Romine, director of NIST’s Information Technology Lab, in an email to FCW, provided some of the details that will be contained in the Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification.

The document has been eagerly awaited by lawmakers and federal agencies hungry for technical guidance on how to incorporate more-secure biometric identifiers on official identification credentials.

NIST’s development work on the document came under heavy criticism during a June 19 hearing by the House Oversight and Government Reform Committee's Subcommittee on Government Operations on biometric identification cards. Subcommittee Chairman John Mica (R-Fla.) and subcommittee Ranking Minority Member Gerry Connolly (D-Va.) lamented the lack of technical guidance for federal agencies in developing identification documents that incorporated iris and fingerprint biometric information. They railed against Romine’s predecessor, former information technology lab director Cita Furlani, who promised the committee that the same iris recognition/fingerprint biometric guidance would be available more than a year ago, but then retired without providing it.

At the latest June hearing, Romine told lawmakers the institute would release the biometric reference within 30 days.

The document, developed in conjunction with federal agencies, industry and industry stakeholders, extends biometric specifications of an initial 2007 edition release, said Romine.

Romine said NIST SP 800-76-2 will include specifications for federal agencies to use iris recognition as an optional add-on for authentication of their PIV cardholders. It will describe technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card itself, he said. It also details procedures and formats for fingerprints, iris and facial images.

Specific enhancements in the 2013 edition include the adoption of a specialized compact and formally standardized iris image format to provide agencies with another option for authenticating PIV cardholders.

The iris specifications in NIST SP 800-76-2, he said, are based on specialized iris image format requirements for compact storage in the international standard, ISO/IEC 19794-6:2011.

Additionally, images of one or both eyes may be placed on the card – each image size will have size of no more than 3 kilobytes per eye which supports compact on-card storage and fast reading times, he said. The document also includes performance specifications for iris biometrics to ensure accuracy, and provide guidance on iris camera selection by providing specifications. The standards-based elements specifications support interoperable authentication within and across agencies that may choose to use iris recognition. The fingerprint on-card comparison, said Romine, allows activation of PIV cards without entering a PIN. While not required, he said, agencies can use this technology at their option.

Note: This article was updated on July 1 to correct the misidentification of NIST's former information technology lab director Cita Furlani.

About the Author

Mark Rockwell is a staff writer covering acquisition, procurement and homeland security. Contact him at or follow him on Twitter at @MRockwell4.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


Reader comments

Mon, Jul 1, 2013

I have eye issues already, I wonder what a continuous bombarding of my eye with the light required to read the iris print will do in the long term to the eye. After all, laser workers have to use glasses while using lased light to prevent eye damage even from indirect lased light, this is putting it right into the eye.

Mon, Jul 1, 2013

These standards are good... but let's not fool ourselves into thinking that PIV-stored biometric data really adds another full factor of authenitication. PKI and soon this iris data is still held physically with a card pown'd by a not-yet-authenticated actor. Only if the iris-scan's data (or hash) is sent to and confirmed by the remote service could it be considered another, full factor of authentication.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above