What are PIV Mobile Derived Credentials?

Derived PIV is a Personal Identity Verification (PIV) credential that is placed on a mobile device and soon to be extended to other technologies, such as USB keys.

The US federal government’s PIV programme was introduced to provide secure two-factor authentication (2FA) for government and military employees into the buildings, computers and systems they need to access as part of their day-to-day duties.

PIV is based on a cryptographically protected credential, associated with an individual, that is placed onto an employee’s smart card. That employee would then be able to use their smart card as proof of identity, granting them access to secure buildings through door card readers and to computers and networks through a built-in or external smart card reader.

The PIV card meant that insecure username and password logins could be replaced with strong 2FA. The smart card being the first factor (something the employee has) and a PIN being the second factor (something the employee knows).

However, whilst this greatly improved security for federal and military employees it has become cumbersome, inflexible and expensive. As technology has changed it has also fallen short as a user-friendly, mobile solution for employees; who wants to carry around external card readers, and what about technology that card readers can’t connect to, such as smartphones and tablets?

Federal government recognised a need for a mobile, convenient form of employee authentication that would not compromise on security.

This call for a more mobile version of PIV is what led to Derived PIV credentials and a change to guidelines through documented standards such as NIST SP800-157 and FIPS201-2. Standards that are set to evolve further with the forthcoming FIPS201-3 update, which proposes the expansion of derived PIV credentials onto a wider range of devices.

 

Derived PIV

Derived PIV is mobilised PIV – it enables a cryptographic credential, just like the credential baked into a smart card, to be passed into the secure area of an employee’s mobile device (such as in a TEE or secure element), plus other technologies, such as USB keys and virtual smart card enabled laptops.

With Derived PIV federal and military personnel have the flexibility to use their mobile devices as the first factor of authentication (something they have) alongside a second factor in the shape of a PIN (something they know) or a biometric, such as fingerprint scan (something they are).

Secure 2FA that is delivered through a user’s device without the requirement for any expensive or clunky ancillary equipment.

Intercede’s MyID® forms part of NIST’s best practice Derived PIV solution, available for federal agencies to experience at the National Cybersecurity Center of Excellence’s (NCCoE) laboratory alongside Intercede partners, including Intel, IBM, MobileIron and Verizon.

MyID is deployed across multiple federal agencies, helping issue and lifecycle manage millions of digital identities across smartphones, laptops and tablet devices as well as smart cards.

• MyID can issue Derived PIV credentials to any PIV credential holder, regardless of whether the original credential was issued by MyID or a third-party issuer, either on-premise or via a managed service
• MyID is the first Derived PIV credential solution to receive an Authority to Operate (ATO) for a federal agency
• MyID supports Derived PIV for iOS and Android smartphones and tablets

 

To find out more, download our Complete Guide to PIV Derived Credentials, or contact us now via the form below to discuss your requirements further.

You can also find out more about the future direction of the latest OMB ICAM policy on our blog and we will be covering FIPS 201-3 in more detail soon. Sign up to our newsletter below to receive future updates straight to your inbox.