Home Blog What Is Personal Identity Verification (PIV)?

What Is Personal Identity Verification (PIV)?

What Is PIV? Personal Identity Verification (PIV) is a U.S. federal security standard that uses smart cards and X.509 digital certificates to authenticate employees and contractors before granting access to government facilities, networks, and applications. PIV credentials combine something you have (the physical smart card), something you know (a PIN), and something you are (biometrics) […]

Secure every login and entry point with PIV-backed MFA at scale.
Key Points
  • Personal Identity Verification (PIV) is a security standard established by the US government to enhance both physical and network security using smartcards and cryptographic credentials.
  • PIV credentials can leverage a variety of data for authentication, including digital photos, biometric scans, and cryptographic keys, typically using X.509 certificates.
  • Efficient PIV Credential lifecycle management, including identity proofing, certificate provisioning, and revocation, is crucial to maintaining security.
  • SecureW2 offers a comprehensive solution for managing PIV credential lifecycles, from provisioning certificates to revoking them, to secure MFA deployment at scale.

What Is PIV?

Personal Identity Verification (PIV) is a U.S. federal security standard that uses smart cards and X.509 digital certificates to authenticate employees and contractors before granting access to government facilities, networks, and applications.

PIV credentials combine something you have (the physical smart card), something you know (a PIN), and something you are (biometrics) into a single phishing-resistant authenticator.

Nearly five million PIV cards are in active use across federal IT environments today, making this one of the largest certificate-based authentication deployments in the world.

Before understanding how PIV authentication works, knowing what information the PIV card stores and the FIPS 201 standard is essential.

What Is Stored on a PIV Card?

A PIV card is a contact smart card with an embedded microchip that stores and processes cryptographic data.

The card contains:

  • Digital photograph: The photograph is visually printed on the card and digitally signed within the chip.
  • Fingerprint biometric templates: These are used for on-card or off-card identity verification.
  • Four X.509 certificate and key pairs:
  • PIV Authentication certificate (always present) proves the cardholder’s identity to networks and applications.
  • The Card Authentication certificate (always present) proves that the card itself is genuine.
  • Digital Signature certificate (optional) signs documents and emails.
  • An Encryption Certificate (optional) encrypts documents and emails.
  • Cardholder Unique Identifier (CHUID): A data object used for physical access.
  • PIN: A knowledge factor that the cardholder enters to unlock cryptographic operations.

Key pairs use 2048-bit RSA or ECC with SHA-256 signatures.

Certificates are valid for three years, and the physical card is valid for six years.

Private keys are generated on the card and cannot be exported, which is what makes PIV credentials resistant to credential theft. While the PIV card stores the data, the FIPS 201 lays down the rules for how the data is formatted and standardized.

The FIPS 201 Standard

The PIV standard originates from Homeland Security Presidential Directive 12 (HSPD-12), signed in 2004, which mandated a common identification credential for all federal employees and contractors.

The National Institute of Standards and Technology (NIST) developed FIPS 201 to define how PIV credentials are issued, managed, and used.

While FIPS 201 has been updated several times, the current FIPS 201-3 standard addresses the full credential lifecycle: identity proofing, enrollment, card issuance, authentication, certificate renewal, and revocation.

Who Needs a PIV Card?

PIV credentials are required for:

  • Federal civilian employees
  • Active-duty military personnel (who use the closely related Common Access Card, or CAC)
  • Federal contractors are expected to serve six months or longer
  • Intermittent or seasonal workers with extended assignments

Agencies can also issue PIV cards to short-term workers through local policy decisions. Beyond federal mandates, many state and local government agencies, defense industrial base companies, and critical infrastructure operators have adopted PIV or PIV-I credentials voluntarily.

PIV vs. CAC vs. PIV-I vs. CIV: What Is the Difference?

Several credential types share the PIV technical framework but serve different populations.

The CAC is the DoD equivalent of a PIV card. Both follow FIPS 201, but they use separate certificate authority hierarchies.

PIV-I (Personal Identity Verification — Interoperable) extends the standard to non-federal personnel who need to interact with federal systems.

CIV (Commercial Identity Verification) adapts the PIV model for private-sector organizations that want smart card-based authentication without the federal identity proofing requirements.

The table below compares identity credentials.

Credential Issuing Authority Primary Users Trust Anchor
PIV (Personal Identity Verification) Federal civilian agencies Federal employees and contractors Federal Bridge CA
CAC (Common Access Card) Department of Defense (DoD) Military, DoD civilians, and contractors DoD PKI
PIV-I (PIV-Interoperable) Non-federal issuers (cross-certified) State/local govt, first responders, critical infrastructure Federal Bridge CA (cross-certified)
CIV (Commercial Identity Verification) Commercial organizations Enterprise employees Organization CA

How PIV Authentication Works

PIV authentication relies on X.509 certificates and a public key infrastructure. Here is what happens when a cardholder inserts a PIV card into a workstation or presents it to a network access point:

1. Card insertion and PIN entry: The user inserts the smart card and enters a PIN to unlock the cryptographic module.

2. Certificate presentation: The PIV Authentication certificate is sent to the relying party (a workstation, VPN gateway, Wi-Fi access point, or web application).

3. Certificate chain validation: The relying party verifies the certificate chain up to a trusted root CA, checks the certificate revocation status via CRL or OCSP, and confirms the certificate has not expired.

4. Challenge-response: The relying party sends a cryptographic challenge. The card signs it with the private key (which never leaves the chip). The relying party verifies the signature with the public key in the certificate.

5. Access granted: If the signature is valid, the certificate is trusted, and any policy checks pass (group membership, device compliance), the user is authenticated.

This process is phishing-resistant by design. Because the private key is hardware-bound and non-exportable, an attacker cannot replay or steal the credential remotely — unlike passwords, OTPs, or push notifications.

PIV Use Cases Beyond Physical Access

While PIV cards originated as facility access badges, their strongest security value is in logical access — authenticating to networks, applications, and services using the X.509 certificates stored on the card.

Network Authentication (802.1X with EAP-TLS)

PIV cards enable certificate-based 802.1X authentication over Wi-Fi and wired networks using EAP-TLS.

The RADIUS server validates the PIV Authentication certificate chain and checks revocation status before granting network access. This eliminates passwords from the Wi-Fi authentication flow.

VPN Authentication

Federal agencies and contractors use PIV certificates to authenticate VPN sessions. The PIV card serves as the authenticator for the VPN client, replacing password-based or token-based VPN login with certificate-based mutual TLS authentication.

Desktop and Application Login

Smart card login to Windows, macOS, and Linux workstations uses the PIV Authentication certificate mapped to an Active Directory or LDAP account.

Web applications can authenticate users through client-authenticated TLS, where the browser presents the PIV certificate to the application server.

Digital Signatures and Email Encryption

The Digital Signature Certificate enables non-repudiation for signed documents and emails (S/MIME). The Encryption Certificate protects email content and files with public-key encryption.

Derived PIV Credentials for Mobile Devices

FIPS 201-3 and NIST SP 800-157 Rev. 1 formalize derived PIV credentials. These standards allow organizations to issue credentials based on proof of possession of a valid PIV card but stored on a mobile device, USB security key (like a YubiKey), or platform authenticator.

Derived PIV credentials support both PKI-based (certificate) and non-PKI-based (FIDO2/WebAuthn) phishing-resistant authentication on devices that lack a smart card reader.

PIV Infrastructure Requirements

Deploying PIV authentication across an organization requires several infrastructure components:

  • Certificate Authority (CA): Issues and manages the X.509 certificates on each PIV card. Federal agencies use CAs cross-certified with the Federal Bridge CA. Organizations adopting CIV need their own managed PKI.
  • Card Management System (CMS): Handles card personalization, certificate enrollment, PIN management, and card lifecycle events (renewal, re-key, revocation).
  • RADIUS Server: Validates PIV certificates during 802.1X network authentication. The RADIUS server checks the certificate chain, revocation status, and can enforce additional access policies based on user attributes or group membership.
  • Card Readers: Physical readers (USB contact readers, keyboard-integrated readers, or built-in laptop readers) connect the card to the operating system.
  • Middleware: Windows minidriver (built-in), OpenSC (cross-platform open source), or commercial options enable the OS and applications to communicate with the card.
  • Directory Services: Active Directory, LDAP, or an identity provider maps PIV certificates to user accounts and enforces group-based access policies.

As you can see, the infrastructure burden is significant. Managing on-premises CA servers, maintaining certificate revocation lists, patching RADIUS servers, and troubleshooting middleware compatibility across operating systems and browser versions consumes substantial IT resources — especially at scale.

Common PIV Deployment Challenges

Organizations deploying PIV authentication frequently encounter:

  • Certificate lifecycle management at scale: Tracking expiration dates, automating renewals, and handling revocations across thousands of cardholders requires purpose-built tooling, not manual spreadsheets.
  • RADIUS server availability: If the RADIUS server goes down, no one can authenticate to the network. On-premises RADIUS deployments (like Microsoft NPS) create single points of failure and require redundancy planning.
  • Cross-agency interoperability: When personnel from different agencies or contractors need access to shared networks, the relying party must trust the issuing CA. Misconfigured trust chains are a common source of authentication failures.
  • Mobile and remote access: PIV cards require physical readers, which complicates use on laptops and mobile devices. Derived PIV credentials solve this, but require additional PKI infrastructure to provision and manage.
  • Middleware compatibility: Different operating systems, browsers, and VPN clients have varying levels of smart card support. IT teams spend significant time troubleshooting why a PIV card works on one machine but not another.

SecureW2 solves these challenges by providing a managed cloud platform that automates certificate lifecycle management .

How SecureW2 Supports PIV-Based Network Authentication

PIV authentication depends on two infrastructure pillars: a PKI that issues and manages X.509 certificates, and a RADIUS service that validates those certificates during network access.

SecureW2 provides both as managed cloud services.

JoinNow Cloud RADIUS validates PIV and derived PIV certificates during 802.1X EAP-TLS authentication without requiring on-premises RADIUS servers.

Cloud RADIUS checks the certificate chain against configured trust anchors and verifies revocation status in real time.

It enforces access policies based on certificate attributes, user group membership, and device compliance signals from identity providers like Entra ID and Okta.

The service maintains 99.999% availability — no more network outages caused by a failed NPS server.

JoinNow Dynamic PKI provides a managed certificate authority for organizations adopting Commercial Identity Verification (CIV) or needing to issue derived PIV credentials to devices and users outside the federal PKI hierarchy.

Dynamic PKI supports Automated Certificate Management Environment (ACME) and Simple Certificate Enrollment Protocol (SCEP) enrollment protocols.

It automates certificate lifecycle management (issuance, renewal, revocation), and monitors certificate activity with CertIQ ML Anomaly Detection to flag suspicious patterns.

For organizations that already have a federal PKI issuing PIV cards, SecureW2 Cloud RADIUS integrates as the network authentication layer, validating those existing PIV certificates without replacing the issuing CA.

For organizations building a CIV or derived credential program, SecureW2 provides the full stack: certificate issuance, lifecycle management, and RADIUS-based network enforcement.

Whether you are deploying PIV for federal compliance, extending PIV-based access to contractors with PIV-I, or building a CIV program for your enterprise, SecureW2 provides the PKI and RADIUS backbone.

Schedule a free demo or talk to our experts about PIV-based network authentication.

Frequently Asked Questions

What is PIV?

PIV stands for Personal Identity Verification. It is a U.S. federal government standard defined by FIPS 201 that specifies how smart card credentials are issued to and used by federal employees and contractors for physical and logical access control.

Is a PIV card the same as a CAC?

No. While a PIV card and a Common Access Card (CAC) both follow the FIPS 201 standard and use X.509 certificates for authentication, they are issued by different authorities.

PIV cards are issued by federal civilian agencies while CAC cards are issued by the Department of Defense. They use separate certificate authority hierarchies, though both anchor to trusted federal root CAs.

Can PIV credentials be used for Wi-Fi authentication?

Yes. PIV cards contain an authentication certificate that supports EAP-TLS, the certificate-based protocol used for 802.1X Wi-Fi and wired network authentication.

A RADIUS server validates the PIV certificate during the connection process, eliminating the need for Wi-Fi passwords.

What are derived PIV credentials?

Derived PIV credentials are authenticators provisioned to a mobile device, USB security key, or platform authenticator based on proof that the holder possesses a valid PIV card.

FIPS 201-3 and NIST SP 800-157 Rev. 1 define derived PIV credentials, which can be PKI-based (X.509 certificates) or non-PKI-based (FIDO2/WebAuthn). They enable phishing-resistant authentication on devices without a smart card reader.

How long is a PIV card valid?

PIV card certificates are valid for three years and must be renewed before expiration. The physical card itself is valid for six years.

Organizations need certificate lifecycle management processes to handle renewals across their cardholder population before certificates expire and authentication breaks.

Vivek Raj

Vivek Raj has over 8 years of experience in cybersecurity, enterprise SaaS, and technical product marketing, with deep expertise in PKI, RADIUS, 802.1X, and Zero Trust security frameworks. At SecureW2, he works closely with Content, Product, and Marketing teams to translate complex security challenges into practical guidance for customers and IT leaders. Vivek specializes in making advanced identity and network security concepts clear, actionable, and business-focused. He also holds the IBM AI Product Manager Professional Certificate. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favourite cricket.

Learn More About SecureW2

Why SecureW2

Establish continuous trust with Dynamic PKI and Cloud RADIUS. Enforce access based on live identity, device posture, and risk context.

  • Passwordless authentication that can't be phished
  • Works with your IdP, MDM, and security stack
  • Real-time policy engine for dynamic access control
Learn More
Explore the Platform

Get the essentials on the products that power continuous enforcement.

SecureW2 JoinNow Platform
SecureW2 Dynamic PKI
SecureW2 Cloud RADIUS
MultiOS for Self-Service Onboarding
Integration Hub
Knowledge Base Articles

Explore practical guidance from engineers and admins deploying SecureW2.

  • Setup and configuration tutorials
  • Integration best practices with IdPs and MDMs
  • Troubleshooting guides for PKI and RADIUS
Browse Explainers

Related Articles

A practical comparison of legacy “set and forget” certificate issuance against dynamic PKI trust validation that re-checks trust on every authentication.
PKI/Certificates May 27, 2026
Static PKI vs. Dynamic PKI for Continuous Validation: Benefits and Features

For two decades, enterprise PKI ran on a simple bargain. Issue a long-lived certificate, trust it until expiration, and clean up revocations on a quarterly cycle. That bargain breaks the...

By Vivek Raj 4 min read
A practical guide to closing the enrollment channel against spoofed certificate requests using pre-issuance policy enforcement, identity binding, and hardware attestation
PKI/Certificates May 27, 2026
Hardening Managed PKI Services Against Enrollment Spoofing

Certificate enrollment has become a high-value control point for attackers because it sits directly between identity systems and network access. As organizations shift to managed public key infrastructure (PKI) services...

By Vivek Raj 4 min read
A practical guide to why per-MDM certificate strategies fragment at scale, and what a unified PKI for mixed MDM environments actually looks like
PKI/Certificates May 27, 2026
Unified PKI for Mixed MDM Environments: Why Your Single-MDM Certificate Strategy Is Breaking

If you run more than one mobile device management (MDM) system, your certificate strategy is probably already broken. You likely added Jamf for Macs after standardizing on Intune for Windows,...

By Vivek Raj 4 min read
SCEP authenticates a shared secret, not the device on the other end of the request.
PKI/Certificates May 27, 2026
Why SCEP Without Attestation Is a Security Gap (And How to Fix It)

What Is SCEP and What Does It Verify? The Simple Certificate Enrollment Protocol (SCEP) is an IETF protocol (RFC 8894) for delivering X.509 certificates to managed devices. SCEP is the...

By Vivek Raj 4 min read
A practitioner-level briefing on homomorphic encryption — covering how it works, the three types, enterprise use cases, current limitations, and how it connects to PKI readiness and post-quantum cryptography.
PKI/Certificates May 27, 2026
What Is Homomorphic Encryption and What Is It Used For?

Homomorphic encryption is a new, advanced form of cryptography that closes an attack window left open by other kinds of digital security. Encryption, from TLS to AES, has protected data...

By Vivek Raj 8 min read
A technical guide to mutual TLS authentication for AI agents covering the mTLS handshake, certificate lifecycle challenges at scale, and how mTLS compares to OAuth and API keys for agent identity.
PKI/Certificates May 27, 2026
Why and When To Use Mutual TLS for AI Agent Authentication

In a world increasingly populated by autonomous agents, mutual TLS (mTLS) is fast becoming a necessity for some deployments. AI agents call APIs, query databases, invoke tools, and communicate with...

By Vivek Raj 6 min read