Operator Guide

The Unifyia platform for operators is a unified platform for sponsoring, enrolling, adjudicating, issuing, and managing identities for users and partners. It allows operators to issue identities on devices such as smart cards, NFC cards, security keys, and mobiles.

The access to the Unifyia platform is role-based as per the specifications outlined in FIPS 201-3. Access to different modules on the platform for operators is based on the access privileges assigned to them. Each role may be assigned exclusively based on the activities to be performed on the platform.

This guide assumes that the actions performed by Sponsors, Registrars, Identity Issuers, Security Officers, and Helpdesk Operators as operator functions. Hence, this guide acts as a single point of reference for all the operators to understand the various functions that they can perform. Organizations may use their discretion in assigning privileges based on their defined organization policies. Learn more about roles and permissions.

Intended Audience

This guide is intended for the operators who manage user onboarding, enrollment, adjudication, identity issuance, and identity management.

You in this entire document refers to an operator.

Unifyia Platform Capabilities

The Unifyia platform allows you as operators to perform the following functions:

  • Onboard users
  • Onboard Users with PIV ID
  • Enroll user data and biometrics
  • Manage approval
  • Issue multiple types of identity devices to users
  • Manage issued identities
  • View and import directory users and issue identities
  • Use the identity reader option to view PIV device information
  • Reset an identity device to factory settings
  • Delete Users

Once you search for a user, you will find a list of icons under the actions column based on the user status. Select the icons based on the action to perform.

Based on the permissions granted to you on the Unifyia platform, you may have access to the following modules:

  • Dashboard
  • Management
    • Users
    • Master Directory View
    • ID Reader
    • Device Factory Reset

The Management module helps operators to manage all the activities related to the users such as onboarding, enrollment, approval, issuance, lifecycle management of the issued identities and deleting users.

Supported Browsers to Access the Unifyia platform

  • Google Chrome on Windows
  • Microsoft Edge on Windows
  • Safari on macOS

Before You Begin

  • Ensure that you're registered with the necessary privileges as an authorized operator within your organization.
  • You must have at least one active identity device to access the Unifyia platform.
  • To complete enrollment, you may require a document scanner, camera, fingerprint scanner, iris scanner, and signature pad based on the user information being captured.
  • Have installed the Unifyia Operator Client on your system to access the connected devices.
  • Relevant devices such as PIV cards or security keys are available if you are issuing physical identities.
  • Should you encounter any difficulties, please reach out to the administrator for assistance.

Login

Login to the Unifyia platform with the authentication method approved by your organization.

  1. Launch the Unifyia platform and select Sign In page.
  2. On the sign in page, provide the username or email and select Sign In.
  3. The sign-in page displays the permitted authentication methods to login to the platform. These options are shown based on the authentication modes configured and the credential preferences set by your organization's administrator.
  4. Select a method and login to the platform.

Learn more about the various authentication methods supported by the Unifyia platform

Dashboard

The panels displayed on the dashboard are privileged-based. Generally, for an operator, the following panels are visible.

  • Pending Enrollment
  • Pending Issuance
  • Pending Requests
  • User Statistics
  • Identity Devices

You can retrieve a list of users for a specific period by choosing a start date and end date on each dashboard panel.

Pending Enrollment

The pending enrollment panel displays the details of all the users who have been onboarded but are yet to be enrolled or in the process of enrolling. You will find icons for each action that can be done for a user. Select the icon corresponding to the action to perform the following actions for each enlisted user using this dashboard.

  1. Begin Enrollment: Select Begin Enrollment to start enrolling a user.
  2. Edit Onboarded Information: Select Edit Onboarded Information to edit the data collected during onboarding. Once you complete the editing of data, ensure to update the data.
  3. Delete User: Select Delete User to delete a user.
Pending Issuance

The pending issuance panel displays the details of all the users who have been enrolled but have not yet been issued a device. The following actions can be performed for each enlisted user using this dashboard.

  1. Issue Identity: Select Issue Identity to start the process of identity issuance.
  2. Enrollment Details: Select Enrollment Details to view or edit the enrollment data. Once you complete editing the data, ensure update the data.
  3. Delete User: Select Delete User to delete a user.
Pending Requests

The pending requests panel displays the details of all the users whose enrollment needs to be reviewed and approved to proceed with the issuance. The following actions can be performed for each enlisted user using this dashboard.

  1. Approve/Reject Enrollment: For each user listed under this panel, you can approve/reject enrollment.
  2. Enrollment Details: Select the Enrollment Details icon to display the details of the enrolled users. You can edit or delete the enrolled user details. You can also view the User Enrollment History.
  3. Delete User: Select the Bin icon to delete users.
User Statistics

The user statistics panel displays the list the user roles and their status statistics.

Identity Devices

The identity devices panel displays the list of all the types of identity devices issued and their status statistics.

Onboard Users

Prerequisites
  1. A group must be created for the users to be assigned.
  2. A workflow must be configured to define the issuance policy.

The Onboard User feature allows you to sponsor a user by providing their basic information. While sponsoring a user, you can assign them to one or more groups that determine their roles, access privileges, device actions, and authentication methods. If permitted by your organization's policy, the user may also be granted access to the self-service portal to add new devices and manage the issued identities.

To sponsor a user, navigate to Management > Users. On the displayed page, select + Onboard User. The Onboard User page appears. Provide the following data:

  1. First Name (e.g., Simone)
  2. Last Name (e.g., Clark)
  3. Username: Unique name to identify the user (e.g., simoneclark)
  4. Email: Should be unique
    5. Assign to Group: Select the appropriate groups from the drop-down list to assign to the user. Each group determines the user's roles, access privileges, and allowed authentication methods. Depending on your organization's policy, the group assigned may grant the user multiple roles. For example, to onboard a user with both Sponsor and User permissions, choose a group that includes both roles.
  5. Slide the Allow Self-Service button to the right to grant the user access to the platform.
  6. Select Save to onboard the user or Cancel to exit the process.
  7. The user is sent a welcome email. Additionally, if enabled, the user will also receive an enrollment invite email to continue with the enrollment process.

This completes the onboarding of a user. However, if as an operator you are permitted to continue with the enrollment, you are directed to proceed with the enrollment of the user. You could choose to continue by selecting Yes or cancel by selecting No.

Onboard Users with PIV ID

The Unifyia platform allows you to onboard users using their existing PIV IDs. This simplifies the process, especially when issuing derived PIV credentials. In this approach, the basic details of the user are captured by the system from the provided PIV ID. To onboard a user using PIV ID, follow the below steps:

Prerequisites
  • The user, who needs a derived credential, must be present with an active PIV ID.
  1. Navigate to Management > Users. On the displayed page, select + Onboard User with PIV ID.
  2. The primary card verification page appears.
  3. Connect the user's PIV ID and select it from the dropdown list. Ask the user to enter the PIN when prompted.
  4. On successful verification of the primary credential, the user's first name, last name, username, and email are populated.
  5. Assign to Group: Select the appropriate groups from the drop-down list to assign to the user.
  6. Slide the Allow Self-Service button to the right to grant the user access to the platform.
  7. Select Save to onboard the user or Cancel to exit the process.
  8. Once onboarded, the user is sent a welcome email. Additionally, if configured, the user will also receive an enrollment invite email to continue with the enrollment process.
  9. If the users onboarded using the PIV ID do not require completing the enrollment or approval process, they can be directly issued derived PIV credentials.
  10. If the enrollment and approval steps are configured, users must complete these steps before becoming eligible for the issuance of derived credentials. Appropriate emails are triggered to notify the users based on the configured workflow.

Edit Onboarded Information

If you want to edit the onboarded user information, go to the main menu Management > Users. Search the user either by name or email. Under the Actions column, select the Edit Onboarded Information icon and edit the details as required. Once completed, select Save to update the details of the user.

NOTE
You cannot edit the user information once the enrollment of the user starts.

Import Users from Directory

The Unifyia platform enables you to view the mapped attributes of a selected user and import the user from a chosen directory. Depending on organizational policies, identities can be assigned to users. Additionally, the platform supports the lifecycle management for these issued identities. Before importing users, the following prerequisites must be managed by your administrator.

Prerequisites:
  • The directory from where you are trying to import the users must be integrated.
  • Groups must be created for the users being imported and group mappers must be configured for the directory. If not, all the users will be assigned to the default workflow which has preconfigured groups. Note that for an organization, there can be only a single default workflow.
  • LDAP/AD Mappers must be configured to map the user attributes to the directory attributes.
Steps to Import a User
  1. Go to Management > Master Directory View.
  2. On the displayed page, select a Directory from the drop down.
  3. Provide either first name, given name, last name, email, or username to search for a user. Press Enter.
  4. The list of users matching the given search criteria is displayed.
  5. For the user that you wish to import, select the View Details icon under the Actions column. The details of the user are displayed.
    6. >
  6. Select Import to import the user.
  7. You can notice the message that the user has been successfully imported.
  8. You can now issue credentials according to the configured organization policies.
NOTE
If you import a user, issue credentials, and then re-import the same user from the directory, only the user details are updated. The details of the issued devices remain unchanged.

Issue Identities to the Imported Users

Before issuing identities to users imported from directories, ensure that the following prerequisites have been configured by your organization's administrator:

  • Device profiles must be added for the types of identity devices that the organization plans to issue to the imported users.
  • Relevant visual designs must be created based on the identity types to be issued.
  • Groups must be created for the users being imported and group mappers must be configured for directory. If not, all the users will be assigned to the default workflow which has preconfigured groups. Note that for an organization, there can be only a single default workflow.
  • Workflows must be created to issue identities for the imported directory users.
  • Approval for issuance of identity devices is not required for the imported directory users.

The issuance process is similar to that of the users enrolled via the platform.

Enroll Users

You can manage an in-person, supervised enrollment of the user using the enrollment feature. This section outlines the various steps required to capture both user biometric and biodata information. The enrollment steps may vary depending on the configured workflow for the group to which the user is assigned.

Navigate to Management > Users. Search the user either by name or email. Under the Actions column, select the Begin Enrollment icon. The enrollment wizard is displayed. It presents a series of steps that must be completed to complete the data capture process. As you progress from one step to another, the information provided during each step is saved. Typically, the entire enrollment process includes the following steps:

  • Uploading or capturing at least one ID proofing document.
  • Providing the user information
  • Uploading or capturing the user's face image
  • Capturing the user's iris images
  • Capturing the user's fingerprint images
  • Capturing the user's signature
  • Viewing the captured data on the summary before saving the enrollment data.

In the sections below, each step is explained in detail to provide a comprehensive understanding of the data capture process.

Capture ID Proofing Documents


Supported Document Scanner

  • EPSON -V600 Photo Scanner

On the document capturing wizard, you must upload the identity proofing documents (I9 documents) of the user. The list displays the allowed ID documents based on the workflow assigned to the user. You can add the ID proofing douments in three different ways - upload local images, capture using a camera, or capture using a document scanner. Select the Add ID Document button and follow the below steps:

  1. Select the Identity Document Type from the dropdown list, e.g., Birth Certificate, US Passport, etc. Refer to the List of I-9 Documents and Issuing Authorities for the complete list of documents that are allowed for identity proofing.
  2. Based on the selected identity document type, the Issuing Authorities are displayed. Select the relevant issuing authority. Enter the following details:
    1. Number: Enter the document number.
    2. Expiration Date: Enter the document expiration date.
    3. Comments: Provide additional comments if required.
  3. Capture Mode: Select one of the below options to continue. If the document does not have information on the back side, you can skip the step to capture the back side image of the document.
    1. Capture: Capture images of both the front and back of the identity document using a connected camera or webcam. You can zoom in and out of the captured image to crop it to the required size. Use the recapture option to restart the capturing process if needed.
    2. Upload: Upload the local images of the document. Supported formats for upload are PNG, JPG, and PDF.
    3. Document Scanner:
      1. If a document scanner is connected, select the specific scanner type from the list.
      2. Once the scanner is selected, the platform will automatically show the document size options that are supported. These preset sizes ensure the scanned image is cropped and processed accurately according to the document's format. The supported sizes typically include:
        • Free Form: Allows scanning of documents of any size not restricted to a standard format.
        • Driver License: Optimized for scanning standard driver’s licenses. The scanner adjusts settings for the small card size and enhances text clarity.
        • Badge: Used for scanning ID badges or access cards, typically smaller than a passport but larger than a license.
        • Passport: Specifically sized for scanning passport pages.
        • Letter: Standard 8.5" x 11" document size used commonly in offices for forms, letters, and other full-page documents.
      3. Select the appropriate document size. Scan the front and back sides of the document one side at a time.
      4. You can zoom in or out to get a clear picture by selecting the Zoom In and Zoom Out icons.
      5. You can rotate the image to the right or left side by selecting the Rotate Left and Rotate Right icons.
      6. You can flip the image by selecting the Flip icon.
  4. Select Next to save the captured documents and proceed to the next step.
  5. The information capture wizard is displayed.

Capture User Information

On the information capture wizard, provide the user biodata. The enrollment form displays the data elements based on the type of identity that is to be issued. Ensure to enter and verify all the mandatory information. Select Next. The face capture wizard is displayed.

Capture Face


Supported Cameras

  • Integrated camera of the laptop
  • Connected web camera
  • Camera with live streaming option, e.g., Sony ZV-1F

On the face capture wizard, proceed to capture a face image by taking a photo using the device's camera or a connected camera. Alternatively, you can upload a photo from local images. The supported formats are PNG, JPEG, and JPG.

To learn more about how to capture a good face image for a PIV ID as per the instructions mentioned in the FIPS 201-3 standard, read PIV Photo Capture Instructions.

Capture Face Image

  1. Select Capture to display the face capture screen.
  2. If the plugged-in camera device is not selected, select a camera device listed in the drop-down. By default, the integrated camera of the laptop is selected.
  3. To capture a photo, adjust the position of the user's face within the cropping rectangle by moving the cropper box accordingly.
  4. You can zoom in or out to get a clear picture by selecting the buttons with the Zoom In and Zoom Out icons.
  5. Select the Crop button to capture the photo.
  6. If the workflow is configured to allow the conversion of the captured photo to a transparent image, the captured photo is converted into a transparent photo and displayed on the screen. If you wish to use the transparent image on the visual ID, for the Use Transparent Photo option, select Yes.
  7. Check the preview of the captured photo.
  8. If it is not clear, select Delete.
  9. Select Recapture to restart the photo capturing process.

Upload Photo

  1. Select the option Upload and select a photo stored locally on your device.
  2. You can zoom in or out to get a clear picture by selecting the buttons with the Zoom In and Zoom Out icons.
  3. Adjust the position of the user's face within the cropping rectangle by moving the cropper box accordingly.
  4. Select Crop to capture the photo.
  5. If the workflow is configured to allow the conversion of the captured photo to a transparent image, the captured photo is converted into a transparent photo and displayed on the screen. If you wish to use the transparent image on the visual ID, for the Use Transparent Photo option, select Yes.
  6. Check the preview of the captured photo.
  7. If it is not clear, select Delete.
  8. Select Recapture to restart the photo capturing process.

Once you have completed the face capture, select Next. The iris capture wizard is displayed.

Capture Iris


Supported Iris Scanners

CMITech: CMITECH BMT-20, ET-45

The next step is to capture the iris image. By default, the system is configured to capture both the irises.

  1. If the connected iris device is not selected, select it from the drop-down.
  2. Place the iris device in front of the user's face and position the eyes to capture the iris images.
  3. Select Clear to remove the captured images if you need to restart the iris capturing process.
  4. Select Next to continue. The fingerprint capture wizard is displayed.

Capture Fingerprints


Supported Fingeprint Scanners

  • Integrated Biometrics - FIVE-O, Watson Mini, Columbo
  • SecuGen Hamster, Hamster Pro 10, Hamster Pro 20, Hamster Pro Duo SC/PIV, Hamster Pro Duo CL
  • HID Crossmatch Guardian 100

Proceed to capture the user's fingerprints. There are two types of fingerprints that you can capture based on the workflow configuration - rolled and flat. Ensure that the fingerprints meet the set quality threshold limit. Follow the below sections to understand how to capture rolled/flat fingerprints.

Capturing Rolled Fingerprints

If the workflow is configured to scan two, four, or ten flat fingerprints plus the rolled fingerprints, then the wizard displays two wizard screens. In the first wizard, you need to capture all ten fingers individually in a sequence as highlighted on the screen in the rolled format. In the next wizard, you need to scan two, four, or ten flat fingerprints as configured. Follow the fingerprint capturing process section to understand how to scan and save fingerprints.

Capturing Flat Fingerprints

If the workflow has been configured to scan two, four, or ten flat fingerprints then there will be only one wizard for capturing fingerprint images. The wizard highlights the number of fingers to be scanned as per the configuration. For the 10 (slap) fingerprints capturing process, you will see rectangular boxes highlighting which hand and fingers to place to capture. Follow the instructions on the wizard to ensure that the right fingerprints are captured as per the configuration. Follow the fingerprint capturing process section to understand how to scan and save fingerprints.

Fingerprints Capturing Process

  1. If there is a single fingerprint scanner connected, the system displays it. Otherwise, select the connected scanner from the drop-down list.
  2. If the rolled fingerprints option is enabled, the wizard to capture the rolled fingerprints is displayed. Follow the instructions on the wizard and place the correct fingers to ensure that all the required fingerprints are captured in the rolled format.
  3. The next wizard helps to capture the flat fingerprints. The wizard indicates which finger should be placed on the scanner by highlighting it. Once you place the finger, the fingerprint is automatically captured. If you are capturing 10 fingers in a slap format, the screen indicates the format in which the fingers are to be placed. Continue till all the required fingerprint images are captured.
  4. If the allowed maximum number of attempts to capture the fingerprints is exceeded, or if the captured image does not meet the required quality threshold during the attempts, the Recapture Fingerprints button is enabled. Select it to restart the fingerprint capturing process.
  5. The wizard displays the preview of all the fingerprints collected along with the quality score.
  6. During the process, if you need to clear the captured fingerprint images, select Clear and select OK to remove all the captured fingerprints.
  7. Once you have captured the required fingerprints, select Next to move to the next step. The signature capture wizard is displayed.

Capture Signature


Supported Signature Pad

  • Signotec Sigma
  • Laptop Touchpad

The final step is to capture the signature of the user.

  1. If the plugged-in signature pad is not selected, select it from the drop-down.
  2. Draw the signature in the signature box to capture a signature. Select Next to view the summary page.

View Summary

All the demographic and biometric details captured are displayed for a final review.

  1. To edit the details, select the Back button or navigate to the respective enrollment step.
  2. If the data collected is as per the specifications, select Save to complete the enrollment. The enrollment process is complete for the user.
  3. Based on the configured workflow, the following actions are triggered.
    • Approval Enabled: If the approval option is enabled in the workflow, the user enrollment details are sent for adjudication. The user receives an email mentioning that the enrollment details are submitted for further investigation process. The background investigation and fingerprint verification processes are initiated for the user.
    • Approval Disabled: If the approval option is not configured, an automated email is sent to the registered email address of the user to register the user's mobile device via the Unifyia ID Wallet App to get the digital identities on the mobile device.

Investigation

The Background and Fingerprint Investigation process is a crucial step in verifying an individual's identity and suitability for certain roles, especially those requiring security clearance. It involves checking the individual's criminal, financial, and personal history, as well as collecting biometric data like fingerprints for further verification. These investigations help ensure that individuals are trustworthy and pose no security risks. Fingerprints are used to cross-check criminal records and identity verification. This process is required for roles with access to sensitive or classified information.

If the workflow is configured to include approval process, the investigation step is added in the enrollment wizard. Once the enrollment data is submitted, the enrollment status is changed to Pending Investigation. Once the investigation results are uploaded, an authorized approver must review the results and approve the enrollment for the user. Once approved, the user becomes eligible for issuance.

In general, all the users will go through the background investigation process if the workflow is configured to include the approval step. In addition to this, if the workflow also contains the fingerprint capture, then the fingerprint investigation of the user must be completed to process the enrollment.

How to upload the investigation results?

Go to Management > Users. Search the user either by name or email. Under the Actions column, select the Investigation icon. The enrollment summary page is displayed. Select Next. The Investigation page is displayed. This page displays two sections based on the workflow configuration. Fill in the required data and select Submit to save.

Background Investigation

This section is displayed when the workflow is configured to include approval step for completing the enrollment. The authorized operator with permissions to this page will update the results of the background investigation. Fill in the below listed fields with data:

  1. On File: Select Yes, if the report is on file.
  2. Submit Date: Select the date of submission of the investigation report.
  3. Completion Date: Select the completion date of the investigation.
  4. Verification Type: Select the type of the verification performed. Each of these investigations varies in depth and scope, depending on the level of access required for the job and the associated security risks. The available options are:
    1. NACI (National Agency Check with Inquiries)
    2. ANACI (Access National Agency Check with Inquiries)
    3. MBI (Moderate Background Investigation)
    4. LBI (Limited Background Investigation)
    5. BI (Background Investigation)
    6. SSBI (Single Scope Background Investigation)
    7. SSBI-PR (Single Scope Background Investigation-Periodic Reinvestigation)
  5. Result: Select Favorable if the investigation is successful and Unfavorable if the investigation failed.
  6. Comments: Add relevant comments.
  7. Completed By: This displays the name of the authorized approver who is updating the results.

Fingerprint Investigation

This section is displayed when the workflow is configured to include fingerprint capture and approval steps for completing the enrollment. If the workflow does not include the capturing of fingerprints, then this section is not visible. The authorized operator with permissions to this page will update the results of the fingerprint investigation. Fill in the below listed fields with data:

  1. On File: Select Yes, if the report is on file.
  2. Submit Date: Select the date of submission of the investigation report.
  3. Completion Date: Select the completion date of the investigation.
  4. Result: Select Favorable if the investigation is successful and Unfavorable if the investigation failed.
  5. Comments: Add relevant comments.
  6. Completed By: This displays the name of the authorized approver who is updating the results.

Once the investigation results are submitted, the enrollment status is now moved to Pending Approval. The submitted data must be reviewed and adjudicated by an authorized approver.

Approve Enrollment

Before You Begin

  • Ensure that you're registered with the necessary privileges (approver) as an authorized operator within your organization.
  • You must have at least one active identity device to access the Unifyia platform.

The approval process allows you to adjudicate by verifying the submitted identity proofing documents, and reviewing the enrolled data and biometrics.

  1. Search a user with name or email.
  2. Select Approve/Reject Enrollment icon against the selected user. The enrollment details of the user are dispalyed.
  3. The enrollment details of the user are displayed.
  4. To approve a user enrollment, select Approve, select a reason for approving the user enrollment. Select Yes to complete the approval process or No to cancel and exit the process.
  5. To reject the enrollment, select Reject button, select a reason for rejecting it, and confirm by selecting Yes or select No to exit the process. Until the required information is submitted, the user record would be in Enrollment in Progress status. After the required details are submitted, the user has to undergo the approval process again to complete enrollment.

View Enrollment Details

The enrollment details option allows you to view and edit the enrollment data. Follow these steps:

  1. Go to Management > Users.
  2. Search for the user either by name or email.
  3. Under the Actions column, select the Enrollment Details icon.
  4. The enrollment summary page will be displayed.
  5. To edit the information, select Edit and make the necessary changes.
  6. Once you have made the edits, select Save to update the enrollment data.
  7. To delete the enrolled user, select Delete and confirm by selecting Yes or No to cancel deleting the user.
  8. To exit the page, select Back.

User Enrollment History

If you wish to view the user enrollment history, select the User Enrollment History option at the end of the enrollment details page. It displays the following details.

  • Modified Steps:This displays the different steps where the data was modified.
  • Status:The status of the user enrollment.
  • Enrolled By:Displays the name of the operator who enrolled the user.

Once the enrollment details are verified and approved, the user is eligible for issuance and is listed under the ready for issuance list of users.

The next step is to issue identity devices. If you are granted permission to issue identities, you are prompted to proceed with the issuance. You can choose to continue or cancel.

To learn more about the credential management system and the issuance options available for the operators refer to the Credential Management System.

Issue Identities

The Issue Identities option allows you to issue multiple types of identities based on the set organizational policies.

  1. Go to Management>Users.
  2. Search for the user either by name or email.
  3. Under the Actions column, select the Issue Identities icon.
  4. The list of approved identities is displayed.

The following are the identity types typically issued by operators:

To learn more about the issuance options available for the operators refer to the Credential Issuance - Operators.

Manage Lifecycle of Identities

The Identity Lifecycle option allows you to issue multiple types of identities based on the set organizational policies.

  1. Go to Management>Users.
  2. Search for the user either by name or email.
  3. Under the Actions column, select the Identity Lifecycle icon.
  4. All the issued identities are displayed. For the identity you want to manage, select MANAGE. Based on the status of the device the options are displayed. You can perform the following lifecycle actions:
    • Suspend
    • Reactivate
    • Reset PIV PIN
    • Reset FIDO PIN
    • Revoke
    • Remove
    • Show PUK
    • Resend Initial PIN
    • View Initial PIN
    • Delete (Delete FIDO2 credentials)
    • Delete Users

To learn more about various identity lifecycle actions that you as an operator can manage refer to the Granular Lifecycle Management - Operators.

Invite to Pair Mobile Device

This option enables you to send an email invitation to register the user's mobile device with the Unifyia ID Wallet app. Note that if the workflow for the selected user is configured to issue mobile identities, only then the ID Wallet app option is visible. Here are the steps to follow:

  1. Go to Management > Users.
  2. Search for the user either by name or email.
  3. Under the Actions column, select the Invite to Pair Mobile Device icon.
  4. An email will be sent to the registered email address of the user informing the user to register and get the digital identities on the mobile device using the Unifyia ID Wallet app.

Read PIV ID

The ID Reader option allows you to read the contents of the PIV-supported devices or Security Keys. This is useful to verify if all the certificates have been loaded onto the device for authentication and verification.

  1. Go to Management> ID Reader on the dashboard. The ID reader page is displayed.
  2. Connect a device. The system detects the connected device.
    1. For Smart card: Connect a card reader to your computer and insert a smart card.
    2. For Security Key: Insert the security key into a USB port.
  3. Enter the PIN of the device.
  4. Select OK to see the following details. The details displayed may vary based on the device type and device profile.
    1. Device Information: This is the ATR of the device, the serial number, and the model of the device.
    2. CHUID Information: CHUID stands for Cardholder Unique Identifier. This is a number that is stored electronically on a smart card.
    3. FASC-N: This is a primary identifier of the smart card for physical access control.
    4. Certificates: This section shows the details of the user and the certificates present inside the smart card. It displays the details of the below-mentioned certificates:
      1. Authentication
      2. Card Authentication
      3. Digital Signature
      4. Key Management
    5. User Biometrics: This section shows all the user biometrics captured as part of the enrollment process.

Device Factory Reset

The device factory reset option enables you to reset the device with the factory keys, restoring it to its original state for reuse. Only identity devices in Revoke status are eligible for factory reset. You cannot reset an identity device if it is in an Active or Suspended status. You can't factory reset devices from another tenants because their device profile keys and lock codes aren't available. Ensure that the Unifyia Operator Client is active and running.

  1. Go to Management > Device Factory Reset to display the factory reset page.
  2. Connect a device. The system detects the connected device.
    • For Smart card: Connect a card reader to your computer and insert a smart card.
    • For Security Key: Insert the security key into a USB port.
  3. The type of the authenticator device (identity device) and device profile are auto-populated.
  4. Select OK to reset the device to factory settings or Cancel to exit the process.
  5. Once the factory settings are restored, the device is ready to be reused. You can now issue the device to users.

The following table shows the list of the identity devices for which the factory reset feature is enabled.

Devices Allowed for Factory Reset
Identity Device Keys Loading Diversified Customer Key-based GP, PIV Admin Keys Factory Reset Resetting PIV Containers/LDS Data
IDEMIA V7 GP Master, PIV Admin Yes Yes Yes
IDEMIA V8.1 GP Master, PIV Admin Yes No Yes
Giesecke & Devrient GP Master, PIV Admin Yes Yes No
ZTPass - ZTPass on NXP P71D600 GP Master, PIV Admin Yes Yes Yes
Yubico PIV Admin Yes Yes No

List of I-9 Documents and Issuing Authorities

The following is the supported list of I-9 documents and their issuing authorities for ID Proofing

List of I-9 Documents and Issuing Authorities
Document Name Issuing Authority
Accepted Receipt for ID Document Replacement Other
Agency ID Card U.S. Department of State
Alien Registration Receipt Card (Form I-551) USCIS
Birth Certificate County
Birth Certificate Municipal Authority
Birth Certificate State
Birth Certificate Other
Birth Report Certificate Department of State
Canadian Driver's License Canadian Government Authority
Clinic, doctor, or hospital record (under age 18) Other
Day-care or nursery school record (under age 18) Other
Driver's License Department of Motor Vehicles (DMV)
Employment Authorization Document (Form I-766) USCIS
Federal ID Card U.S. Department of State
Foreign passport (I-551 or MRIV) USCIS
Foreign Passport with Form I-94 or Form I-94A Micronesia (FSM)
Foreign Passport with Form I-94 or Form I-94A Other
Foreign Passport with Form I-94 or Form I-94A Republic of the Marshall Islands (RMI)
Foreign Passport with Form I-94 or Form I-94A USCIS
Foreign passport (I-551 or ADIT Stamp) USCIS
Merchant Mariner Card U.S. Coast Guard
Military Dependent's ID Card Department of Defense
Native American Tribal Document Alaska Eskimo
Native American Tribal Document Aleut Community
Native American Tribal Document Native American Indian Tribe
Permanent Resident Card USCIS
School Photo ID card Other
School record or report card (under age 18) Other
Social Security Card Department of Homeland Security
Social Security Card Social Security Administration
State ID Card Department of Motor Vehicles (DMV)
U.S. Citizen ID Card Department of Motor Vehicles (DMV)
U.S. Military Card or Draft Record Department of Defense
U.S. Passport or U.S. Passport Card U.S. Department of State
Voter's Registration Card Local Election Office
Voter's Registration Card State
Voter's Registration Card Other
Consular Report of Birth Abroad Other
Receipt: Form I-94 w/I-551 stamp, photo Other
Receipt: Form I-94 w/refugee stamp Other

Delete Users

To delete a user, go to Management > Users. Search the user by a username or an email in the search field. The user record is displayed. Select the Delete User icon at the far end of the displayed record to delete a user.

PIV Photo Capture Instructions

The photo on a PIV (Personal Identity Verification) card must be a full-frontal photograph. This means the image should capture the full face of the cardholder, facing directly forward, with a neutral expression and both eyes open. Here are some detailed specifications for the photo on a PIV card:

  • Head Position: The head should be centered and occupy about 50% to 70% of the frame.
  • Background: The background should be a uniform color or a single color pattern, preferably white or off-white. Avoid patterned, dark, or complex backgrounds. Ensure no shadows are present in the background.
  • Lighting: The photo should be well-lit, with no shadows, glare, or reflections.
  • Expression: The cardholder should have a neutral expression or a natural smile, with both eyes open.
  • Attire: The cardholder should wear normal attire. Uniforms, hats, or head coverings are not allowed unless worn daily for religious reasons.
  • Photo Quality: If you are uploading a photo should be clear, high-resolution, and free of any marks or blemishes.
  • These guidelines ensure that the photo on the PIV card is suitable for accurate identification and verification.

Back Next
On this page
Related Links