Cost saving credential consolidation techniques with PIV-C

August 28, 2017 0 Comments in 800-171, PIV-C by Gregory Abrenio

What an amazing summer. Personally, it was the summer of PIV-C! It was great because I spent a majority of the summer traveling around the nation helping customers implement and get the most out of their PIV-C credentials. What was so rewarding was witnessing firsthand how the NIST (PIV) interoperability standards are really helping customers save money by allowing them to streamline and consolidate their multi-factor authentication platforms. In this blog, I will share some real-world techniques that can help your organization better utilize PIV-C cards to lower costs.

PIV-C Credential Conslidation Technique Savings Table

Technique How it saves money
Use 1 PIV-C Card for both LACS and (Legacy) PACS Eliminate credential issuance costs
Easily (and securely) derive credentials for mobile devices Eliminate travel and hardware costs
Consolidate encryption certificates Eliminate downtime and 3rdparty certificate costs
Streamline remote access Eliminate 3rd party licensing and support costs
Privileged and regular identities on 1 PIV-C Card Eliminate credential issuance costs


Use 1 Credential for both LACS and (Legacy) PACS:

New card technologies have been designed specifically to allow enterprise users to use their existing physical access control system (PACS) readers with the new PIV-C based smart cards. This means that enterprises can use their choice of Seos, iCLASS, MIFARE Classic or MIFARE DESFire physical access with optional HID or Indala Prox protocols to issue their PIV-C credentials. With this setup, users can use one credential to log in to their logical access resources and then use that same PIV-C credential to open doors and other physical access resources.

Easily (and securely) derive credentials for mobile devices:

Thanks to the NIST derived credential standards, enterprises have a clear security protocol for requesting and generating derived credentials for mobile devices. Now, a user can leverage their PIV-C card as a means to remotely identify themselves to create derived credential requests for their mobile devices. This means organizations can fully automate this process to securely deliver certificates to end user devices without any user downtime due to travel or other time-consuming processes related to manual certificate issuance.

Consolidate encryption digital certificates:

One of the great things I saw when traveling was the massive use of encryption. It was so nice to see organizations encrypting their data with PKI technology. However, a common challenge was how to manage older keys once the user got new keys (for example, sometimes they would lose their older key and then could not decrypt older messages). This is another area PIV-C starts to really pay off – encryption key history storage and consolidation. With the PIV standards, key history is automatically stored onto the user’s PIV card…even if they get a brand-new card. This means the user always has secure access to their current and older encryption keys on their PIV-C card. No longer do they have to manage different storage locations or be worried that they cannot decrypt older messages because they lost their previous encryption keys. Now all of their encryption keys are conveniently located on their PIV-C card!


Privileged and regular user identities on 1 PIV-C Card:

Privileged users represent a challenging situation. In addition to their administrative needs, privileged users also need lower access accounts to allow the identity to whom the account belongs to perform their non-administrative business tasks. Although enterprises can this issue by issuing multiple tokens or adjusting their domain controller to map the tokens to different accounts, both come with additional costs and administrative burdens. 

Another approach is to load both the privileged and regular user account information onto one PIV-C card. This allows the privileged user to carry only 1 PIV-C card and does not require any domain or certificate changes. New card technology includes additional PKI slots built into the card for this specific purpose. Now the enterprise can issue multiple certificates for one identity on one card which can result in drastic credential savings. Also, it makes it much more convenient for the privileged user as they now only have to carry around 1 credential for their different systems.



The standardization and interoperability vision of NIST is paying off in practical and financial terms. Using both the basic and advanced PIV-C security features, enterprises can really begin to experience cost savings by issuing a credential that is standard and is extremely secure. I hope the techniques in this blog helped illustrate fundamental ways PIV-C can reduce costs. In the upcoming weeks, we are going to be publishing more on PIV-C advanced usages so make sure to subscribe to our list.


Learn how PIV-C strengthens physical access control