Credential Management System

The Unifyia platform functions as a comprehensive Credential Management System (CMS) designed to streamline the granular issuance, authentication, and granular lifecycle maintenance of digital and physical credentials. You can issue single or multiple identities/credentials for a single user based on the organization's group policies and the configured workflows. Additionally, you can enable multiple options to login based on the assigned groups. This system empowers organizations to enhance security, improve user experience, and adopt cutting-edge passwordless technologies in a rapidly evolving digital landscape.

Key Features

  • Granular Multi-Credential Issuance: Supports issuing and managing multiple credential types, including passkeys, to meet diverse organizational and regulatory requirements.
  • Passwordless Authentication: Leverages authentication methods that eliminate password-related vulnerabilities, enhancing security and reducing user friction.
  • Secure Lifecycle Management: Includes issuance, revocation, renewal, suspension, and reissuance workflows, ensuring credential integrity throughout their lifecycle.
  • Mobile Integration: Fully compatible with mobile platforms, enabling the use of credentials for authentication, access, and identity verification via a secure app interface.
  • Interoperability: Seamless integration with identity federation, FIDO2 authentication systems, and identity brokering frameworks.
  • Compliance: Adheres to federal and industry standards, ensuring secure and compliant operations across various domains.

Supported Identity Types

The Unifyia platform supports the issuance of the following credential types:

  • PIV (Personal Identity Verification): A government-standard credential providing secure access to physical and logical resources, compliant with NIST SP 800-63-4 and related federal guidelines.
  • PIV-I (Personal Identity Verification - Interoperable): The Personal Identity Verification-Interoperable (PIV-I) credential is the alternative credential standard for issuance to non-Federal employees to grant access to federal resources for six (6) months or less.
  • CIV: The Commercial Identity Verification (CIV) credential is designed for enterprises seeking to comply with the PIV specification without the need for cross-certification. This allows any enterprise to create, issue, and utilize CIV credentials based on the specific requirements of their unique corporate environments.
  • DPIV (Derived PIV): A derived PIV credential refers to a cryptographic credential that is generated or derived from a Personal Identity Verification (PIV) card offering similar security guarantees as the PIV ID while addressing the need for flexibility to authenticate and access secure systems or services without requiring the PIV card. The platform supports DPIV issuance on PIV-supported smart cards and security keys.
  • DFIDO2 (Derived FIDO2): Secure, passwordless authentication credentials derived from PIV for enhanced usability and interoperability with FIDO2-enabled systems. The platform supports DFIDO2 issuance on the FIDO2-supported smart cards and security keys.
  • Passkeys (FIDO2 Credentials): Modern, passwordless authentication credentials compliant with the FIDO2 standard, designed for enhanced security and seamless user experiences across platforms and devices. You can issue the FIDO2 credentials on platform authenticators such as TPM, Windows Hello, or mobile devices and cross-platform authenticators such as security keys.
  • Mobile Identities and Derived Mobile Idenities: Digital identities issued on mobile devices through the Unifyia ID Wallet app providing secure, convenient access to resources and services. You can issue derived mobile credentials by verifying the existing PIV ID.

Supported Identity Devices

The Unifyia platform supports the issuance of smart cards, security keys, ID cards, and mobile identities in the Unifyia ID Wallet. The following models of Identity Devices are supported for issuance using the Unifyia Platform.

  • Personal Identity Verification (PIV) based smart devices
    • IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
    • IDEMIA- ID-One PIV 2.4.1 on Cosmo V8.1
    • IDEMIA- ID-One PIV 2.3.4 on Cosmo V7
    • Giesecke & Devrient - G&D SCE 7.0 with PIV Applet V1.0
    • ZTPass - ZTPass on NXP P71D600
    • Thales- Thales IDPrime PIV v3.0
    • Yubico - YubiKey 5 Series
    • Arculus AuthentiKey
    • Swissbit - Swissbit iShield Key
  • Mobile Identities (Requires Unifyia ID Wallet App)

Supported Card Readers

The following card readers are supported for the issuance of the PIV credentials.

  • PCSC Card Readers - Contact and Contactless. For example:
    • ACS ACR122U NFC Contactless Smart Card Reader
    • ACS ACR39U-U1 Smart Card Reader
    • SecuGen Hamster Pro Duo SC/PIV

Supported Printers

The following printers are supported for printing the PIV IDs.

  • HID FARGO® HDP6600
  • Matica XID8600
  • Magicard Rio Pro 360
  • Magicard 360 NEO (V2)

Issuance Options

Based on the selected identity type from the list of available options, you can do the following:

  1. Personalize:This option helps to personalize an identity device type such as a smart card or a security key.
    1. For Smart card: Connect a card reader to your computer and insert a smart card.
    2. For Security Key: Insert the security key into a USB port.
    3. Select Personalize.
    4. The device is successfully personalized.
  2. Print: This option helps to print a smart card or an ID card.
    1. The Connected Card Printer is auto-selected. If multiple printers are connected, select the required printer from the drop-down list. Ensure that the printer is loaded with cards.
    2. Select Print ID to print the card.
  3. Personalize and Print: This option helps to personalize and print a smart card in one go.
    1. The Connected Card Printer is auto-selected. If multiple printers are connected, select the required printer from the drop-down list. Ensure that the printer is loaded with cards.
    2. Select Personalize to only personalize.
    3. Select Personalize and Print to personalize and print a card.
  4. Register FIDO2 WebAuthn: This option helps to issue FIDO2 credentials on a FIDO-supported security key.
    1. Set up the security key with a PIN or passcode.
    2. Give a name to this passkey.
  5. Issue Mobile Identities: If you have selected to issue mobile devices to a user, a page to set up the Unifyia ID Wallet app is displayed. Using the QR code or the URL and secret key, you can fetch the mobile identities on the user's mobile device. Note that the user must download the Unifyia ID Wallet app on a mobile device to issue mobile identities.

Authentication Methods

The Unifyia platform supports the following authentication methods:

  • Login using PIV, PIV-I, CIV, Derived PIV IDs
  • Login using Federated PIV Identities
  • Platform Authenticators - Passkeys (FIDO2)
  • Cross-Platform Authenticators - External FIDO2 Security Keys/Derived Passkeys (FIDO2)
  • Unifyia ID Wallet
    • Unifyia ID Wallet with PKI - Consent-based authentication method where a PKI credential stored on a mobile is used for signing the consent
    • Unifyia ID Wallet with Push Verify – Consent-based authentication method
    • Unifyia ID Wallet with OTP – Authentication method using One-Time Passwords
    • Unifyia ID Wallet with FIDO2 – Authentication method using FIDO2 credential

Granular Lifecyle Management

The Unifyia platform provides organizations with role-based access to credential lifecycle management, ensuring compliance with regulatory guidelines. It includes predefined lifecycle actions aligned with assigned PIV roles, while also offering the flexibility for organizations to customize which roles are responsible for specific lifecycle actions, accommodating evolving requirements.

By delegating identity lifecycle management based on roles, the platform empowers users with clear guidance and intuitive tools to manage their credentials responsibly, enhancing the overall user experience.

The lifecycle actions for smart cards, security keys, mobile devices, and mobile identities are managed independently. These options are dynamically displayed based on the status of the respective device, ensuring clarity and relevance for all users.

The platform supports the below-listed role-based lifecycle actions. The lifecycle actions performed by PIV authorized roles are listed generically for an operator. Organizations can delegate the actions as per their requirement.

Operator Lifecycle Actions: An operator can perform the below lifecycle actions:

  • Suspend
  • Reactivate
  • Renew Certificates
  • Change PIN
  • Reset Device PIN
  • Revoke
  • Remove
  • Show PUK

User Lifecycle Actions: A user can perform the below lifecycle actions:

  • Suspend
  • Reactivate
  • Renew
  • Change PIN
  • Report Incident
  • Reset PIN with PUK

Back Next
On this page
Related Links