Derived PIV

A derived PIV credential refers to a cryptographic credential that is generated or derived from a Personal Identity Verification (PIV) card. The issuance of the identity is allowed only when there is an existing, active PIV ID. This derived credential allows you to authenticate and access secure systems or services without requiring the PIV card.

The platform enables the issuance of DPIV credentials to both enrolled and federated users. If you are a federated user and wish to log in using your existing PIV ID to obtain DPIV credentials, ensure that the platform trusts the certificate used for login. Your organization must manage this by integrating with the platform for identity federation.

Supported Identity Devices

A derived PIV can be issued on the following identity devices:

  • IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
  • IDEMIA- ID-One PIV 2.4.1 on Cosmo V8.1
  • IDEMIA- ID-One PIV 2.3.4 on Cosmo V7
  • Giesecke & Devrient - G&D SCE 7.0 with PIV Applet V1.0
  • ZTPass - ZTPass on NXP P71D600
  • Thales- Thales IDPrime PIV v3.0
  • Yubico - YubiKey 5 Series
  • Arculus AuthentiKey
  • Swissbit - Swissbit iShield Key

Prerequisites

  • Ensure that you are registered with the necessary privileges by an authorized operator within the organization.
  • If you are a federated user, ensure to check if your organization has integrated with the Unifyia platform.
  • Existing PIV ID - You must have at least one active PIV identity device to access the Unifyia platform.
  • You have a smart card reader to read smart cards.
  • If you are issuing USB security keys such as Yubikey, ensure that you have connected the USB device to the have a new PIV smart card or PIV-supported security key such as a Yubike computer during the process of DPIV issuance. The identity device type to be issued is at the discretion of your organization.
  • You have installed the Unifyia User Client on your system to access the connected devices.

Self-Issuance of Derived PIV Credential

  1. Log into the Unifyia platform as a platform user or federated user using a PIV ID.
  2. Navigate to Identities.
  3. Select + Add New.
  4. If more than one identity is approved for you, you are prompted to select for which workflow you wish to issue an identity to continue.
  5. From the listed identity device options, select the identity device on which you wish to issue the derived credentials. You can issue derived credentials on a PIV-supported smart card or security key.
  6. Insert your PIV ID into the card reader attached to your computer.
  7. The primary card verification page appears.
  8. Select your PIV ID type and enter the PIN when prompted.
  9. On successful verification of the primary credential, the system prompts you to proceed with the issuance of the derived credentials. Select Next.
  10. Connect your PIV identity device on which to derive PIV credentials:
    1. For Smart card: Remove the PIV ID from the reader and use the same reader or connect an additional card reader to your computer and insert your new PIV smart card.
    2. For Security Key: Insert your security key into a USB port.
  11. The connect reader and authenticator details are displayed on the Issue Identity Screen.
  12. Enter PIN and confirm PIN.
  13. Select Personalize.
  14. You will notice the success message once the credentials are issued on the selected device.

The derived PIV credential has been issued. You are now ready to authenticate and access secure systems or services without needing the PIV card.


Back Next
On this page
Related Links