A Derived PIV (Personal Identity Verification) credential is a secondary or supplemental credential that is derived from an individual's primary PIV credential. It is typically used in situations where the primary PIV credential is not physically available or convenient for use, but the user still needs to access systems or perform authentication tasks. Derived PIV credentials maintain the same security and identity attributes as the primary PIV credential but are issued in a different form—such as a software token, mobile device credential, or another digital format.

Key Features of a Derived PIV:

1. Security and Compliance: Derived PIV credentials follow the same security standards as the primary PIV credential, ensuring compliance with federal security requirements.
2. Convenience: They enable secure, passwordless authentication in cases where the physical PIV card cannot be used, such as in mobile environments or remote work scenarios.
3. Multi-factor Authentication: Derived PIVs still leverage multi-factor authentication mechanisms (such as biometric data, PINs, and certificates) to verify the user's identity.
4. Usage Scenarios: Derived PIV credentials can be used in scenarios like remote access, virtual environments, or mobile devices, offering flexibility without compromising security.

In essence, derived PIV credentials help extend the usability of the PIV system while ensuring that the same high standards of security and identity verification are maintained, regardless of the method of authentication.

A Derived PIV Credential (DPC) or Derived Personal Identity Verification (DPIV) credential is a secondary cryptographic credential that is created from an individual's primary PIV credential. The issuance of this credential complies with the NIST SP 800-157r1 standard and is permitted only when there is an active PIV ID in place. It is primarily used in situations where the physical PIV credential is unavailable or impractical, but the user still requires access to systems or authentication tasks. Derived PIV credentials retain the same security and identity attributes as the primary PIV credential but are issued in alternative forms, such as software tokens, mobile device credentials, or other digital formats.

The Unifyia platform allows operators and users to issue a DPIV (Derived PIV) credential by validating existing PIV ID which is considered as a primary credential. It supports issuing DPIV credentials to both platform-registered and federated users. Users can be imported from integrated directories, with the prerequisite that the directory (LDAP/AD) is already connected to the Unifyia platform for user federation. Group mappings should also be set up after group creation to ensure the platform correctly maps user groups from the directory to its own groups. Additionally, a role mapper for user roles must be pre-configured for users coming from the directories.

Supported Identity Devices

A derived PIV can be issued on the following identity devices on the Unifyia platform:

• IDEMIA- ID-One PIV v2.4.2 on Cosmo V8.2
• IDEMIA- ID-One PIV 2.4.1 on Cosmo V8.1
• IDEMIA- ID-One PIV 2.3.4 on Cosmo V7
• Giesecke & Devrient - G&D SCE 7.0 with PIV Applet V1.0
• ZTPass - ZTPass on NXP P71D600
• Thales- Thales IDPrime PIV v3.0
• Yubico - YubiKey 5 Series
• Arculus AuthentiKey
• Swissbit - Swissbit iShield Key