Derived Passkeys (FIDO2)
A derived FIDO2 (DFIDO2/DFC) credential refers to a cryptographic credential that is generated or derived
from a Personal Identity Verification (PIV) card. The issuance of the identity is allowed only when
there is an existing, active PIV ID. This derived FIDO2 credential allows users to authenticate and
access secure systems or services without requiring the PIV card.
DFCs support zero trust, passwordless authentication by enabling you to leverage common
devices to easily authenticate to the platform or other relying parties in both mobile and desktop
environments. The platform supports the issuance of FIDO2-enabled passkeys/security keys known as cross-platform authenticators leveraging the existing PIV ID. These FIDO2-capable smart cards or security keys use readers, USB ports, NFC, or Bluetooth to communicate user verification via biometrics or PIN. They are removable and cross-platform, like a YubiKey, and can be used on multiple devices.
Supported Identity Devices
You can issue derived credentials only on a FIDO2-supported smart card or security key. A derived FIDO can be issued on the following Identity Devices:
- IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
- ZTPass - ZTPass on NXP P71D600
- Yubico - YubiKey 5 Series
- Arculus AuthentiKey
- Swissbit - Swissbit iShield Key
Prerequisites
- Ensure that users are registered with the necessary privileges within the organization.
- Existing PIV ID - Users must have at least one active PIV identity device which will be used as
a primary credential to validate the issuance status.
- You have a smart card reader to read smart cards.
- You have a new FIDO-supported smart card or security key such as a YubiKey.
- Relevant identity devices such as those listed under the Supported Identity Devices
section below are available. The identity device type to be issued is at the
discretion of the organization.
- Connect a smart card reader and insert a FIDO2-supported smart card into it.
- If you are issuing a USB security key such as YubiKey, ensure that you have connected
the USB device to the computer during the process of DFIDO2 issuance.
- If you are using an NFC passkey, connect an external NFC reader to your computer.
- You have installed the Unifyia Operator Client on your system to access the connected devices.
- The Passkeys policy on the Unifyia platform is configured with the option to issue cross-platform authenticators.
Derived Passkeys (FIDO2) Issuance
- Log into the Unifyia platform.
- Navigate to Management > Users. Search the user either
by name or email.
- Under the Actions column, select the Issue Identity icon
to start the issuance process.
- If the user is approved for multiple identities, you will be prompted to select the workflow for
which you wish to issue an identity.
- From the listed options select the identity device on which you wish to issue
the derived credentials.
- You need to first verify the issuance status of the user’s PIV ID.
- Insert the PIV ID of the user into the card reader attached to your computer.
- The primary card verification page appears.
- Select the PIV ID type and ask the user to enter the PIN when prompted.
- On successful verification of the primary credential, the system prompts you to proceed with the
issuance of the derived credentials. Select Next.
- Connect the identity device on which the DFIDO2 credentials need to be issued.
- If using a FIDO2-supported smart card, insert it into the card reader connected to your
computer.
- If using a FIDO2-supported USB security key, insert it into the USB port.
- If you are using an FIDO2-supported NFC security key, connect an external NFC reader to
your computer and tap the card when prompted.
- The connect reader and authenticator (identity device) details are displayed on the
Issue Identity Screen.
- Select Personalize.
- An email that contains the PIN is sent to the user.
Issuance of the derived FIDO2 credential on a connected device is completed.