A Derived FIDO2 Credential (DFIDO2 or DFC) is a cryptographic identity credential that is generated from a Personal Identity Verification (PIV) card. The issuance of this derived credential is only permitted when an active and valid PIV ID is present. This means the root identity is tied to a government-issued or organizational PIV card, which acts as the primary authentication source.

Once the PIV card is registered and authenticated, the system can derive a FIDO2 credential from the associated cryptographic keys stored within the PIV card. This derived credential can then be used for subsequent access to secure systems or services without the need to physically insert or present the PIV card.

The derived credential leverages public key cryptography - the same technology behind the FIDO2 standard—allowing users to authenticate securely across systems without exposing or transmitting their private key. The key benefit here is that users do not have to carry the physical PIV card to authenticate, but can instead use the derived credential stored on other secure devices (like smartphones, laptops, or mobile tokens).