This article explores PIV and DPIV credentials, focusing on how DPIV offers a more flexible identity solution for federal users where the physical PIV card cannot be utilized. It provides an overview of DPIV's key characteristics, security features, benefits, and practical use cases.

What is a PIV Credential?

The Personal Identity Verification (PIV) credential is a standard set by the U.S. federal government for identity authentication. It typically involves a physical smart card that stores a user's cryptographic credentials, such as a public key, digital certificates, biometric data, and other identity information. PIV is widely used by federal employees and contractors for secure access to government systems, but it is also increasingly used in other industries as a standard for strong authentication.

A PIV card is typically used for:

• Two-factor authentication (2FA): Combining something you have (the PIV card) and something you know (PIN/password).
• Public key infrastructure (PKI): Storing digital certificates for secure communications.
• Digital signatures: Verifying the identity of the user in transactions or documents.

PIV card contains four main cryptographic certificates, each serving a different role in providing secure authentication, encryption, and digital signatures. These certificates are embedded in the card to enable strong, multi-factor authentication and support various secure activities.

Each of these certificates ensures that the PIV card can provide robust authentication and encryption across multiple use cases, significantly enhancing security while supporting a variety of enterprise and government security needs. Together, they provide a strong basis for multi-factor authentication, secure communications, and identity verification.

What is a Derived PIV Credentials?

A Derived PIV Credential (DPC) or Derived Personal Identity Verification (DPIV) credential is a secondary cryptographic credential that is created from an individual's primary PIV credential. The issuance of this credential complies with the NIST SP 800-157r1 standard and is permitted only when there is an active PIV ID in place. It is primarily used in situations where the physical PIV credential is unavailable or impractical, but the user still requires access to systems or authentication tasks. Derived PIV credentials retain the same security and identity attributes as the primary PIV credential but are issued in alternative forms, such as software tokens, mobile device credentials, or other digital formats.

The DPC/DPIV credential can be used in a variety of scenarios where the physical PIV card cannot be utilized (such as mobile devices, remote systems, or virtual environments). It can be securely stored in digital form (e.g., in a secure enclave on a mobile device, security keys, or smart cards) and used for passwordless authentication, maintaining a zero-trust security model.

The Unifyia platform allows operators and users to issue a DPIV (Derived PIV) credential by validating existing PIV ID which is considered as a primary credential. It supports issuing DPIV credentials to both platform-registered and federated users. Users can be imported from integrated directories, with the prerequisite that the directory (LDAP/AD) is already connected to the Unifyia platform for user federation. Group mappings should also be set up after group creation to ensure the platform correctly maps user groups from the directory to its own groups. Additionally, a role mapper for user roles must be pre-configured for users coming from the directories.

 Supported Identity Devices

A derived PIV can be issued on the following identity devices on the Unifyia platform:

• IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
• IDEMIA- ID-One PIV 2.4.1 on Cosmo V8.1
• IDEMIA- ID-One PIV 2.3.4 on Cosmo V7
• Giesecke & Devrient - G&D SCE 7.0 with PIV Applet V1.0
• ZTPass - ZTPass on NXP P71D600
• Thales- Thales IDPrime PIV v3.0
• Yubico - YubiKey 5 Series
• Arculus AuthentiKey
• Swissbit - Swissbit iShield Key

Derived PIV Credential Derivation Process

The DPC or DPIV is generated using a secure, cryptographic process that derives its identity and authentication capabilities from the primary PIV credential. This process maintains the same level of security as the original PIV card by utilizing public-key cryptography, ensuring the integrity and authenticity of the credential.

Key Characteristics and Use Cases

• Secure Authentication: Since the derived credential maintains a direct relationship with the original PIV credential, it carries the same strong cryptographic guarantees. When used, the derived credential ensures secure, passwordless authentication using public key infrastructure (PKI), offering protection against man-in-the-middle attacks and credential theft.
• Mobile and Remote Access: A major benefit of DPCs is that they make it possible to use the authentication capabilities of the primary PIV credential on mobile devices or remote environments that cannot support the physical card itself. For example, the credential could be used in a mobile app or a virtual desktop environment where access to a physical PIV card reader is not feasible.
• Compliance with Security Standards: The derived PIV credential meets the same high standards for security and identity verification as the primary PIV credential. This is particularly important in sectors like government, healthcare, and finance, where strict compliance with regulations (e.g., FISMA and NIST guidelines) is required.
• Flexibility for Enterprises: Organizations can leverage DPCs to enable a zero-trust authentication environment, ensuring that access to sensitive systems and data is continuously verified using secure cryptographic processes, and not relying on the inherent trust of a single network perimeter.

The Derivation Process

To generate a Derived PIV Credential (DPC), the following general steps might be involved:

• Key Pair Generation: A public/private key pair is generated based on the user's original PIV credential.
• Secure Derivation: The private key associated with the original PIV credential is used to derive a new key pair, or alternatively, a unique credential may be created by deriving information from the original PIV's certificate.
• Enrollment: The derived credential is then securely enrolled on a specific device or system (such as a mobile phone or computer), often within a secure element or hardware security module (HSM) to protect the private key.

Authentication with DPC/DPIV

Once a Derived PIV Credential (DPC) is created and enrolled, it can be used in place of the primary PIV card for secure authentication. The process typically works as follows:

• Authentication Request: A user attempts to access a system or application that supports DPC-based authentication.
• Cryptographic Challenge: The system issues a cryptographic challenge (e.g., a nonce or random value) that the DPC must sign using the private key associated with the derived credential.
• Verification: The signed challenge is sent back to the system, which verifies it using the corresponding public key associated with the DPC, ensuring that the user is who they claim to be.

This process ensures that the authentication is secure, cannot be easily tampered with, and confirms that the user has access to the private key associated with their identity.

Security Features and Benefits

• Strong Cryptography: The derived credential maintains the same strong cryptographic protections as the original PIV card, such as encryption and digital signatures, ensuring that all communications and authentication requests are secure.
• Zero Trust: The use of cryptographic verification and absence of password dependency aligns with the principles of Zero Trust Security. Access is granted based on continuous verification of identity and device trust, not simply relying on perimeter security or static credentials.
• Risk Mitigation: Since the derived credential is based on the PIV’s secure cryptographic structure, risks associated with password-based systems (e.g., phishing, keylogging, and brute-force attacks) are mitigated.

Use Cases

• Government Employees and Contractors: Federal employees or contractors may use DPCs to access secure government systems or networks from mobile devices or remote locations.
• Healthcare: Medical professionals may use DPCs for secure access to patient data or systems without needing a physical PIV card.
• Enterprise Security: Corporations and organizations implementing zero-trust architectures can use DPCs to enable secure, passwordless login for employees accessing internal systems and applications.

A Derived PIV Credential (DPC or DPIV) provides a more flexible and portable form of the secure identity established by a Personal Identity Verification (PIV) card. It enables users to authenticate to systems and services securely and seamlessly across various devices and platforms, without sacrificing the integrity and security of the original PIV credential.