PIV-I Enrollment for Financial Institutions Use Case

From IDESG Wiki
Jump to: navigation, search

Title: Financial Institution Issue PIV-I electronic credential. Establish a person’s electronic credential, Bind intrinsic or extrinsic attribute to an electronic credential, Authenticate person

Use Case Description: Financial Institution as an Electronic Credential Provider

Use Case Category: Trust/Assurance, Authentication, Interoperability, Privacy

Contributor: Bryan Russell (bryan.russell@xtec.com)

Use Case Details


  • Financial institution as an electronic credential provider;
  • Applicant who desires to acquire an electronic credential; Subscriber is an applicant who has successfully been issued an electronic credential

Goals: Tim’s financial institution wants to offer Tim an electronic credential (Based on NIST Updated E-Authentication Guidance)
Potential benefits:

  • Provides an electronic credential that could be trusted by government relying parties at LOA3
  • Electronic Credential can be trusted for strong authentication in the FI's web services and other relying parties.
  • Customer could attach a FI branded electronic wallet to facilitate a number of online transactions bringing a potentially large new reveue channel.
  • The PIV-I provides the initial trust framework needed to create derrived certificates from the electronic credential so that the electronic credential could be extended to multiple devices and controled by the Subscriber.
  • It improves customer retention by providing brand stickiness and promoting good will and loyalty.
  • The PIV-I provides a sound payment solution in cyberspace and due to the card properties and low level communications utilized by the PIV-I smart card, it could be used alongside EMV at the POS if the Subscriber doesn't want to use his mobile version.

Assumptions: PIV-I credential is issued consistent with FIPS 201 and NIST 800-63 or as described in NIST Updated E-Authentication Guidance. Applicant can successfully satisfy applicable vetting, business and regulatory (KYC) requirements; Applicant has completed some kind of electronic credential enrollment application;

Requirements: The financial institution has contracted with a certified (PIV-I) issuer or the financial institution has certified to issue PIV-I credentials. Applicant has been a customers in good standing for at least 1 year or can meet in-person vetting and enrollment requirements.

Process Flow: New in-person account opening- At the time of account enrollment the Applicant wishes to apply for and obtain an electronic credential that provides privacy, strong authentication and is trusted for high assurance transactions/interactions on the internet. The enrollment process binds an intrinsic attribute (biometric) to the electronic credential and allows for secure access to the attribute during authorizations when/if required. In addition to providing a third factor for authorization decisions, the binding of the intrinsic attribute (biometric) to the electronic credential during enrollment provides repudiation in the event the financial institution needs to prove the Subscriber and the Applicant were indeed the same person. The customer service representative scans the KYC documents, scans the applicant’s intrinsic attribute and captures a photo with an enrollment station. The enrollment station then encodes, activates, and prints the required data elements on the electronic credential. The electronic credential is given to the Subscriber.

Existing account holder- An existing account holder, who meets the minimum requirements, wishes to apply for and obtain an electronic credential that is trusted for high assurance transactions/interactions on the internet. The Applicant completes the electronic credential application and returns it to their financial institution. The FI confirms the applicant’s information and securly forwards the applicable information to a fulfillment house where the credential is printed and encoded but not activated. The electronic credential is then sent to the address of record for the Applicant. Upon receipt, the Applicant confirms he or she is the proper individual to activate the electronic credential. The electronic credential is activated through similar procedures currently used when activating new debit cards. Upon activation the Applicant becomes a Subscriber of the service.Based on NIST Updated E-Authentication Guidance, an existing account holder who is issued a PIV-I in this manner is capable of reaching level 3 assurance transactions/interactions.

Success Scenario:

  • Applicant applies for an electronic credential
  • Applicant satisfies financial institutions customer identification program (CIP}
  • Applicant obtains electronic credential in person or through the mail
  • Electronic credential is activated

Error Conditions:

  • Applicants intrinsic attributes can’t be captured during in-person enrollment – enrollment continues utilizing the picture and applicable documents
  • Subscriber’s home PC operating system does not support PIV-I encryption – Microsoft Window XP, Windows Vista, and Windows 7 can be updated to support PIV-I encryption
  • Subscribers home PC does not have a smartcard reader – PIV-I credentials can be extended to a preferred useable form factors like mobile, USB fob etc.
  • Applicant impersonates another individual to obtain an electronic credential – strengthen CIP and utilize strong vetting standards
  • Internet is not available - ???
  • Financial Institution can’t authenticate the Subscriber – Send error message and terminate connection
  • Subscriber can’t authenticate the financial institution – error message and terminate connection


  • Extended by:
  • Extension of:

References and Citations