Derived PIV

A Derived PIV (Personal Identity Verification) credential is a secondary cryptographic credential that is created from an individual's primary PIV credential. The issuance of this credential complies with the NIST SP 800-157r1 standard and is permitted only when there is an active PIV ID in place. It is primarily used in situations where the physical PIV credential is unavailable or impractical, but the user still requires access to systems or authentication tasks. Derived PIV credentials retain the same security and identity attributes as the primary PIV credential but are issued in alternative forms, such as software tokens, mobile device credentials, or other digital formats.

As an operator, you can issue a DPIV (Derived PIV) credential to users by validating their existing PIV ID. However, the user must be present with their PIV ID to verify the primary credential.

The platform supports issuing DPIV credentials to both platform-registered and federated users. Users can be imported from integrated directories, with the prerequisite that the directory (LDAP/AD) is already connected to the Unifyia platform for user federation. Group mappings should also be set up after group creation to ensure the platform correctly maps user groups from the directory to its own groups. Additionally, a role mapper for user roles must be pre-configured for users coming from the directories.

In the following sections, the use case of importing users for DPIV issuance is also explained.

Supported Identity Devices

A derived PIV can be issued on the following identity devices:

  • IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
  • IDEMIA- ID-One PIV 2.4.1 on Cosmo V8.1
  • IDEMIA- ID-One PIV 2.3.4 on Cosmo V7
  • Giesecke & Devrient - G&D SCE 7.0 with PIV Applet V1.0
  • ZTPass - ZTPass on NXP P71D600
  • Thales- Thales IDPrime PIV v3.0
  • Yubico - YubiKey 5 Series
  • Arculus AuthentiKey
  • Swissbit - Swissbit iShield Key

Prerequisites

  • Ensure that you are registered with the necessary privileges by an authorized operator within the organization and have at least one active identity device to access the Unifyia platform.
  • The user for whom the derived credential will be issued is present in person at the issuance center.
  • Existing PIV ID - Users must have at least one active PIV identity device issued on the platform or by a federated organization.
  • You have a smart card reader to read smart cards.
  • You have a new PIV smart card or PIV-supported security key such as a Yubikey. If you are issuing USB security keys such as Yubikey, ensure that you have connected the USB device to the computer during the process of DPIV issuance.
  • You have installed the Unifyia Operator Client on your system to access the connected devices.

Derived PIV Issuance

Import User From Directory

  1. Navigate to Management > Master View Directory.
  2. Search the user either by name or email. The details of the directory user appear.
  3. Select Import to import the user. The user is imported successfully.
  4. The steps for issuing a DPIV are the same for both federated users and users registered on the platform.

Follow the below steps to issue a DPIV credential.

  1. Navigate to Management > Users. Search the user either by name or email. Under the Actions column, select the Issue Identity icon to start the issuance process.
  2. If the user is approved for multiple identities, you will be prompted to select the workflow for which you wish to issue an identity.
  3. Next, from the listed identity device options, select the identity device on which you wish to issue the derived PIV. You can issue a derived PIV on a PIV-supported smart card or security key. You need to first verify the issuance status of the user’s PIV ID.
  4. Insert the user’s PIV ID into the card reader attached to the computer.
  5. The primary card verification page appears.
  6. Select the PIV ID type and ask the user to enter the PIN when prompted.
  7. On successful verification of the primary credential, the system prompts you to proceed with the issuance of the derived PIV. Select Next.
  8. Connect the PIV identity device on which to derive PIV credentials:
    1. For Smart card: Connect an additional card reader to your computer and insert a new PIV smart card. If an additional reader is not available, remove the PIV ID from the reader and insert the new PIV smart card.
    2. For Security Key: Insert your security key into a USB port.
  9. The connect reader and authenticator details are displayed on the Issue Identity Screen.
  10. Ask the user to set a PIN and confirm it.
  11. Select Personalize.
  12. You will notice the success message once the credentials are issued on the selected device.

Issuance of the derived PIV credential is completed.


Back Next
On this page
Related Links