Edit this page

9. Create and Issue Derived PIV

When a federal employee or contractor requires PIV authentication, but using their PIV card is not practical, using a derived PIV may be an option. A derived PIV is a secure, reliable, federally issued credential issued to a mobile device, generally a smartphone or tablet, that allows an individual to use their mobile device in place of their PIV card. An individual must first have been issued a PIV card in order to be eligible for a derived PIV.

A derived PIV can be either LOA3 or LOA4. An LOA3 derived PIV uses either software or hardware to connect with a mobile device, whereas an LOA4 derived PIV must be a hardware token.

Actors and Systems Key for Images Actors and Systems Key for Images

Pre-condition: An individual has a mobile device and an existing PIV credential.

1. Request Issued An individual requests a derived PIV from an approved authority.
2. Request Approved The approval authority reviews the request. If valid, it is approved.
3. Authentication The individual contacts a CSP that provides derived PIVs and is authenticated using their PIV card.
Authentication may occur virtually (LOA3) or in person (LOA3 & LOA4).
4. Token Generated The CSP generates the credential token and securely issues it to the individual. The issuer could be a person or a system.
5. Token Issued The credential is securely issued to the individual’s mobile device.
6. Token Activated The individual is prompted to activate the token by establishing a shared secret.
7. Functionality Verified The individual verifies token functionality through a test system.

Post-condition: Individual has an activated derived PIV credential that is ready for use.

Click here for a consolidated image of this use case.