PIV-I Enrollment for Educational Institutions Use Case
What is the PIV-I?:
"Personal Identity Verification - Interoperable" -- is "a physical card with up to four data stores or sharing tools: an RFID card, a bar code, a QR code and/or a mag stripe, as well as a photo and verbiage that might include the person's name, institution or affiliation, and location of the institution. It is issued by entities like government agencies to employees or educational institutions to students, and is used to do things like enter a building or make secure computing happen on a computer, register for classes or get health services, and the "I" is the interoperable version of this card." It is an electronic credential enrollment in an Institution of higher learning (accredited institutions) setting. The card would establish a person’s electronic credentials, bind intrinsic or extrinsic attributes to an electronic credential, authenticate a person, authenticate a person at a website, authenticate a person at an organization, authenticate a person for remote high value transactions.
Use Case Description:
This use case describes an educational institution as a PIV-I Electronic Credential Provider to students, employees and staff, researchers, professors etc.
Use Case Category: Trust/Assurance, Authentication, Interoperability, Privacy
Contributor: Bryan Russell (bryan.russell@xtec.com)
Use Case: The card would establish a person’s electronic credentials, bind intrinsic or extrinsic attributes to an electronic credential, authenticate a person, authenticate a person at a website, authenticate a person at an organization, authenticate a person for remote high value transactions.
Category: Trust/Assurance, Authentication, Interoperability, Privacy
Actors:
- Educational institution as an electronic credential provider;
- Applicant who desires to acquire an electronic credential;
- Subscriber who has successfully been issued an electronic credential;
Goals: Mariella’s educational institution wants to offer Mariella an electronic credential. (Based on NIST Updated E-Guidance)
- Provides an electronic credential that could be trusted by government relying parties at LOA3 and or other relying parties at equal or lower levels of assurance.
- Electronic Credential can be trusted for strong authentication and used in physical access decisions as well as logical access decisions.
- Provides strong digital signing for online document submission and critical version control functions when Universities are collaborating on work product.
- Student (Mariella) could attach a branded electronic wallet to facilitate meal funding on campus and a number of other online transactions that could potentially extend off campus.
- The PIV-I provides the initial trust framework needed to create derived certificates from the electronic credential so that electronic credential could be extended to multiple devices and controlled by the Subscriber.
Assumptions: The educational institution in this use case is an accredited instituion of higher learning. Mariella's Educational institution has contracted with a certified personal identity verification interoperable (PIV-I) issuer or has certified to be a personal identity verification interoperable (PIV-I) issuer. PIV-I electronic credential is issued as consistent as possible with FIPS 201 and NIST 800-63 and as described in NIST Updated E-Authentication Guidance. Applicant can successfully satisfy applicable vetting and enrollment requirements; Applicant has completed and satisfied some sort of electronic credential enrollment application;
Requirements: Subscriber has had a relationship in good standing with the institution for at least 1 year or can meet in-person, vetting, and enrollment requirements. (Described in NIST Updated E-Authentication Guidance)
Process Flow: New in-person Student Enrollment- The Applicant (Mariella -- who may be a new student) wishes to apply in person for an electronic credential that can provide strong three factor authentication and is trusted for high assurance transactions/interactions with the educational institution via the internet or on campus. The enrollment process binds an intrinsic attribute (biometric) to the electronic credential and allows secure access to the attribute if required for extremely high value access decisions. In addition to providing the third factor for authorization decisions, the binding of the intrinsic attribute (biometric) to the electronic credential during enrollment provides repudiation in the event the Educational Institution needs to prove the Subscriber and the Applicant were indeed the same person. The Educational Institution's representative scans the appropriate documents, scans Mariella’s finger prints and captures a photo of her with an enrollment station. The enrollment station then encodes, activates and prints the photo on the credential. Process for transmitting and storing the data including encryption methods are defined in applicable standards.
Existing Students- An existing student, Mariella (Applicant), who meets the minimum requirements, wishes to apply for an electronic credential that is trusted for high assurance transactions/interactions with the educatinal institution via the internet or on campus. The Subscriber completes the electronic credential application and returns it to their Educational Institution. The Educational institution confirms the applicant’s information and securly forwards the applicable information to a fulfillment house where the electronic credential is encoded but not activated. The elecrtonic credential is then sent to the address of record of the Subscriber. Upon receipt, the Subscriber confirms he or she is the proper individual to activate the electronic credential. The electronic credential is activated. Based on NIST Updated E-Authentication Guidance, an existing student who is issued a PIV-I "like" credential in this manner is capable of reaching level 3 assurance transactions/interactions. The activation of the electronic credential is done much like the financial industry activates pin debit cards in today's environment.
Success Scenario:
- Applicant applies for an electronic credential
- Applicant satisfies vetting and enrollment requirements
- Applicant obtains electronic credential in person or through the mail
- Electronic credential is activated
- Subscriber utilizes the electronic credential to remotely connect to the Educational Institutions web services over the internet to access protected resources.
- Claimant is authenticated by Educational Institution utilizing two factor authentications. (hard token, pin number) (the biometric may be presented representing the third authentication factor for high value authentication decisions)
- Educational Institution web services authenticated by claimant
- Encrypted web session is established between parties
- Claimant requests access to protected resources
- Claimant desires to make changes to the protected resource
- Claimant signs the changes with a digital signature produced from the electronic credential
- Changes are logged
Error Conditions:
- Applicants fingerprints can’t be captured during in-person enrollment – enrollment continues utilizing applicable documents and vetting procedures. Note: may reduce trust to LOA3
- Subscriber’s operating system does not support PIV-I encryption – Microsoft Window XP, Windows Vista, and Windows 7 can be updated to support PIV-I encryption
- Subscribers PC does not have a smartcard reader – Subscriber could utilize a USB smartcard reader, many of the newer machines have a smartcard reader built in or can be added. In addition, PIV-I "like" electronic credentials can come in many form factors (smartcard, smart phone, USB, Tablet, IPad, etc.)
- Claimant impersonates another individual to obtain an electronic credential –utilize strong vetting, issuance and activation standards
- Internet is not available - ???
- Educational Institution can’t authenticate the Claimant – Send error message and terminate connection
- Claimant can’t authenticate the Educational Institution – error message and terminate connection
Risks
- PIV-I Card is overused in situations it was not meant for based on original scope.
- PIV-I Card is used to share information collected beyond the original scope of the card mission.
- PIV-I Card could disclose information the person didn't want to disclose.
- PIV-I Card could associate medial information onto the card, in violation of HIPPA rules.
Relationships
- Extended by:
- Extension of:
References and Citations
- NIST Updated E-Authentication Guidance; NIST SP 800-63
- FIPS 201
- [File:https://www.idecosystem.org/wiki/File:PIV_and_related_standards.jpg]