Derived Passkeys (FIDO2)

A derived FIDO (DFIDO2) credential refers to a cryptographic credential that is generated or derived from a Personal Identity Verification (PIV) card. The issuance of the identity is allowed only when there is an existing, active PIV ID. This derived FIDO credential allows you to authenticate and access secure systems or services without requiring the PIV card.

FIDO2 security keys support passwordless authentication by enabling you to leverage common devices to easily authenticate to the platform or other relying parties in both mobile and desktop environments. The platform supports the issuance of FIDO2-enabled passkeys/security keys known as cross-platform or roaming authenticators leveraging the existing PIV ID. These FIDO2-capable smart cards or security keys use readers, USB ports, NFC, or Bluetooth to communicate user verification via biometrics or PIN. They are removable and cross-platform, like a YubiKey, and can be used on multiple devices.

Supported Identity Devices

A derived PIV can be issued on the following identity devices:

  • IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
  • ZTPass - ZTPass on NXP P71D600
  • Yubico - YubiKey 5 Series

Prerequisites

  • Ensure that you are registered with the necessary privileges by an authorized user within the organization.
  • Existing PIV ID - You must have at least one active PIV identity device to access the Unifyia platform.
  • You have a smart card reader to read smart cards.
  • You have a FIDO-supported smart card or security key such as a Yubikey.
    • Relevant identity devices such as those listed in the overview section below are available if you are issuing identities. The identity device type to be issued is at the discretion of your organization.
    • Connect a smart card reader and insert a FIDO-supported smart card into it.
    • If you are issuing a USB security key such as YubiKey, ensure that you have connected the USB device to the computer during the process of DFIDO issuance.
    • If you are using an NFC passkey, connect an external NFC reader to your computer.
  • You have installed the Unifyia User Client on your system to access the connected devices.

Self Issuance of Derived FIDO2 Credential

  1. Log into the Unifyia platform as a platform user or federated user using a PIV ID.
  2. Navigate to Identities.
  3. Select + Add New.
  4. If more than one identity is approved for you, you are prompted to select for which workflow you wish to issue an identity to continue.
  5. From the listed identity device options, select the identity device on which you wish to issue the derived credentials. You can issue derived FIDO credentials only on a FIDO-supported smart card or security key.
  6. Insert your PIV ID into the card reader attached to your computer.
  7. The primary card verification page appears.
  8. Select your PIV ID type and enter the PIN when prompted.
  9. On successful verification of the primary credential, the system prompts you to proceed with the issuance of the derived credentials. Select Next.
  10. Connect the identity device on which the DFIDO2 credentials need to be issued.
    1. If using a FIDO2-supported smart card, insert it into the card reader connected to your computer.
    2. If using a FIDO2-supported security key, insert it into the USB port.
  11. The connect reader and authenticator (identity device) details are displayed on the Issue Identity Screen.
  12. Enter PIN and confirm PIN.
  13. Select Personalize.
  14. Issuance of the derived FIDO2 credential on a connected device is completed.

Back Next
On this page
Related Links