PIV — from FIPS 201 to derived credentials.
Personal Identity Verification has moved from a smart-card mandate for U.S. federal civilian agencies to a credential family that lives on cards, USB tokens, mobile devices, and secure-element applets — while keeping its NIST SP 800-73 functional surface intact.
HSPD-12 issued
Homeland Security Presidential Directive 12 mandates a common identity standard for U.S. federal employees and contractors.
FIPS 201 published
Personal Identity Verification of Federal Employees and Contractors. The PIV card and the underlying applet architecture are defined.
NIST SP 800-73-2 / SP 800-78-2
Card-side specification matured: card commands, data model, key references; cryptographic algorithm constraints separately specified.
PIV-I (interoperable) ecosystem
Non-federal PIV-Interoperable credentials gain traction in defence industrial base and first-responder communities.
FIPS 201-2 revision
Adds optional features: biometric on-card comparison, contactless on-card biometric matching, on-card discoverability. Acknowledges mobile use cases.
SP 800-157 — Derived PIV Credentials
NIST publishes the derived-credential pattern: a smartphone-resident credential cryptographically derived from a parent PIV card.
OPM breach refocuses PIV
The OPM credential-theft incident sharpens federal focus on hardware-rooted, phishing-resistant authentication. PIV deployment depth increases.
SP 800-73-4 published
Latest functional PIV card spec: BER-TLV data model, key reference codes, on-card biometric. Still the implementation target a decade later.
OMB M-22-09 (zero-trust)
White House memo elevates phishing-resistant MFA. Federal IdPs accept PIV cards alongside FIDO2 hardware keys; mobile-derived PIV in scope.
embedded secure-element PIV applets in production
PIV applets on nano-card secure elements ship for OEM and OEM and embedded identity programmes. AmbiSecure PIV nano-card applet enters the market with four-slot card edge and FIPS 201 functional surface.
Multi-form-factor PIV
PIV credentials simultaneously live on cards, USB tokens, mobile devices, and nano-card secure elements. The PIV "card" is now the credential family, not the form factor.
PIV ⇄ FIDO bridging
Validation servers treat PIV and FIDO2 as alternative phishing-resistant factors, with per-tenant policy controlling which factor counts for AAL3.
Continue exploring.
Building against this evolution?
If your roadmap touches any of these milestones, our engineering team can map the standards posture to a deployable architecture.