This article examines Derived FIDO2 credentials, how they work, their relationship to PIV cards, and the benefits they offer. It also discusses their role in modern identity and access management, particularly in relation to NIST standards.

The FIDO2 authentication standard is reshaping the way users securely authenticate across digital platforms by eliminating traditional password-based methods in favor of stronger, more efficient cryptographic techniques. Among the innovations within this framework is the concept of the Derived FIDO2 (DFIDO2/DFC) Credential, which is issued leveraging the existing Personal Identity Verification (PIV) card. A Derived FIDO2 Credential (DFIDO2 or DFC) is a cryptographic credential that is generated from an existing PIV card, enabling secure authentication without the need to physically use the PIV card itself. This solution offers enhanced flexibility and ease of access, especially for environments where constant physical access to the PIV card may not be feasible.

This article explores what Derived FIDO2 credentials are, how they work, their relationship with PIV cards, and their significance in modern identity and access management, especially in alignment with NIST standards.

What is a Derived FIDO2 Credential (DFIDO2)?

A Derived FIDO2 Credential (DFIDO2 or DFC) is a cryptographic identity credential that is generated from a Personal Identity Verification (PIV) card. The issuance of this derived credential is only permitted when an active and valid PIV ID is present. This means the root identity is tied to a government-issued or organizational PIV card, which acts as the primary authentication source.

Once the PIV card is registered and authenticated, the system can derive a FIDO2 credential from the associated cryptographic keys stored within the PIV card. This derived credential can then be used for subsequent access to secure systems or services without the need to physically insert or present the PIV card.

The derived credential leverages public key cryptography - the same technology behind the FIDO2 standard—allowing users to authenticate securely across systems without exposing or transmitting their private key. The key benefit here is that users do not have to carry the physical PIV card to authenticate, but can instead use the derived credential stored on other secure devices (like smartphones, laptops, or mobile tokens).

The Relationship Between Derived FIDO2 Credentials and PIV Cards

Personal Identity Verification (PIV) cards are a critical component in the authentication ecosystem, especially within U.S. federal agencies and organizations that require high levels of security. PIV cards utilize embedded cryptographic tokens for identity verification and offer strong authentication with certificates tied to the user’s identity.

A Derived FIDO2 Credential makes the PIV card more versatile by enabling passwordless authentication through FIDO2 standards. The derived credential ensures that users can authenticate without needing to physically interact with the PIV card, creating a more convenient and efficient authentication process.

In essence, while the PIV card remains the root source of identity, the Derived FIDO2 Credential acts as a virtual extension of that identity, allowing it to be used for remote authentication and across a wider array of systems, all while preserving the integrity and security provided by the PIV card.

NIST Standards and Derived FIDO2 Credentials

The National Institute of Standards and Technology (NIST) provides comprehensive guidelines for digital identity management, ensuring that authentication mechanisms comply with high standards for security and privacy. Derived FIDO2 credentials, particularly when based on PIV cards, must align with these NIST standards to ensure their integrity and robustness.

• Cryptographic Strength: NIST standards emphasize the importance of strong cryptography in the creation and management of digital identities. Derived FIDO2 credentials must adhere to approved public key infrastructure (PKI) practices, ensuring that the private key remains securely stored and never exposed to unauthorized access. The FIDO2 standard ensures that authentication is carried out using public key cryptography, providing users with strong, phishing-resistant authentication.
• Secure Credential Generation and Storage: Derived credentials must be generated in a manner that ensures their integrity and security. Since the root identity is tied to a PIV card, the derived FIDO2 credential is generated from the secure cryptographic elements contained within the card. Once derived, the credential must be securely stored on devices that are capable of handling sensitive cryptographic operations, such as trusted platform modules (TPMs) or secure elements (SEs) on smartphones, laptops, or other computing devices such as security keys and smart cards. NIST requires that these storage mechanisms be resilient to physical attacks and unauthorized access.
• Interoperability: The ability to use a derived FIDO2 credential across different systems and platforms is essential. NIST’s guidelines encourage interoperability, ensuring that the derived credential can be used seamlessly across various environments, such as organizational intranets, cloud-based systems, and third-party services that support FIDO2 authentication protocols.
• Authentication Without the Physical Card: One of the key advantages of a Derived FIDO2 Credential is that it allows for passwordless authentication without requiring the user to present the physical PIV card each time. This approach addresses several challenges associated with traditional card-based authentication, such as card reader compatibility, physical loss, or theft. Users can authenticate on any platform or device that supports FIDO2, without the hassle of physically inserting or scanning the PIV card.
• Revocation and Lifecycle Management: NIST requires that all credentials, including derived credentials, have effective lifecycle management mechanisms. If a user’s PIV card is revoked, lost, or compromised, the associated derived FIDO2 credential should also be automatically invalidated. This ensures that a potential security breach with the PIV card does not extend to the derived credentials.

Benefits of Derived FIDO2 Credentials

• Convenience and Flexibility: Derived FIDO2 credentials allow users to authenticate securely without needing to carry a physical PIV card. This is particularly useful for scenarios where users must access secure systems remotely or across multiple devices.
• Improved Security: The use of public key cryptography in FIDO2 ensures that authentication is both strong and phishing-resistant. Derived credentials maintain the same level of security as the PIV card, while mitigating the risks associated with carrying physical tokens.
• Scalability: Organizations can scale their secure authentication systems more easily by utilizing derived FIDO2 credentials. Users can authenticate across a variety of devices without requiring the distribution of physical cards to every device.
• Cost-Effective: By eliminating the need for users to always carry a PIV card, organizations can reduce the costs associated with managing physical access tokens. Additionally, the ability to derive credentials remotely enhances flexibility and user convenience.
• Regulatory Compliance: Organizations that are subject to regulatory standards, such as NIST SP 800-53 (Security and Privacy Controls) or FIPS 140-2 (Federal Information Processing Standard), can rely on derived FIDO2 credentials to ensure their authentication methods meet high security and privacy requirements.

Conclusion

The Derived FIDO2 Credential (DFIDO2/DFC) represents a significant advancement in the realm of authentication, offering users a more flexible, secure, and efficient way to authenticate without relying on physical tokens like PIV cards. By adhering to NIST standards for cryptographic strength, secure credential storage, and lifecycle management, this solution provides robust security while enhancing user experience. The derived credential framework is a powerful tool for organizations seeking to modernize their authentication systems while maintaining compliance with stringent regulatory requirements and safeguarding sensitive data.