NIST readies new standards for biometric ID cards


Federal agencies looking to incorporate iris recognition authentication add-on capabilities to their Personal Identity Verification cards will soon get some expert help from the National Institute of Standards and Technology.

In July, NIST is set to release a key biometric reference that federal and federal contractors can use to develop identification cards under the Federal Information Processing Standard 201 (FIPS-201), Personal Identity Verification.

Charles Romine, director of NIST’s Information Technology Lab, in an email to FCW, provided some of the details that will be contained in the Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification.

The document has been eagerly awaited by lawmakers and federal agencies hungry for technical guidance on how to incorporate more-secure biometric identifiers on official identification credentials.

NIST’s development work on the document came under heavy criticism during a June 19 hearing by the House Oversight and Government Reform Committee's Subcommittee on Government Operations on biometric identification cards. Subcommittee Chairman John Mica (R-Fla.) and subcommittee Ranking Minority Member Gerry Connolly (D-Va.) lamented the lack of technical guidance for federal agencies in developing identification documents that incorporated iris and fingerprint biometric information. They railed against Romine’s predecessor, former information technology lab director Cita Furlani, who promised the committee that the same iris recognition/fingerprint biometric guidance would be available more than a year ago, but then retired without providing it.

At the latest June hearing, Romine told lawmakers the institute would release the biometric reference within 30 days.

The document, developed in conjunction with federal agencies, industry and industry stakeholders, extends biometric specifications of an initial 2007 edition release, said Romine.

Romine said NIST SP 800-76-2 will include specifications for federal agencies to use iris recognition as an optional add-on for authentication of their PIV cardholders. It will describe technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card itself, he said. It also details procedures and formats for fingerprints, iris and facial images.

Specific enhancements in the 2013 edition include the adoption of a specialized compact and formally standardized iris image format to provide agencies with another option for authenticating PIV cardholders.

The iris specifications in NIST SP 800-76-2, he said, are based on specialized iris image format requirements for compact storage in the international standard, ISO/IEC 19794-6:2011.

Additionally, images of one or both eyes may be placed on the card – each image size will have size of no more than 3 kilobytes per eye which supports compact on-card storage and fast reading times, he said. The document also includes performance specifications for iris biometrics to ensure accuracy, and provide guidance on iris camera selection by providing specifications. The standards-based elements specifications support interoperable authentication within and across agencies that may choose to use iris recognition. The fingerprint on-card comparison, said Romine, allows activation of PIV cards without entering a PIN. While not required, he said, agencies can use this technology at their option.

Note: This article was updated on July 1 to correct the misidentification of NIST's former information technology lab director Cita Furlani.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Mon, Jul 1, 2013

I have eye issues already, I wonder what a continuous bombarding of my eye with the light required to read the iris print will do in the long term to the eye. After all, laser workers have to use glasses while using lased light to prevent eye damage even from indirect lased light, this is putting it right into the eye.

Mon, Jul 1, 2013

These standards are good... but let's not fool ourselves into thinking that PIV-stored biometric data really adds another full factor of authenitication. PKI and soon this iris data is still held physically with a card pown'd by a not-yet-authenticated actor. Only if the iris-scan's data (or hash) is sent to and confirmed by the remote service could it be considered another, full factor of authentication.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group