9. Create and Issue Derived PIV
When a federal employee or contractor requires PIV authentication, but using their PIV card is not practical, using a derived PIV may be an option. A derived PIV is a secure, reliable, federally issued credential issued to a mobile device, generally a smartphone or tablet, that allows an individual to use their mobile device in place of their PIV card. An individual must first have been issued a PIV card in order to be eligible for a derived PIV.
A derived PIV can be either LOA3 or LOA4. An LOA3 derived PIV uses either software or hardware to connect with a mobile device, whereas an LOA4 derived PIV must be a hardware token.
Pre-condition: An individual has a mobile device and an existing PIV credential.
An individual requests a derived PIV from an approved authority. | |
The approval authority reviews the request. If valid, it is approved. | |
The individual contacts a CSP that provides derived PIVs and is authenticated using their PIV card. Authentication may occur virtually (LOA3) or in person (LOA3 & LOA4). |
|
The CSP generates the credential token and securely issues it to the individual. The issuer could be a person or a system. | |
The credential is securely issued to the individual’s mobile device. | |
The individual is prompted to activate the token by establishing a shared secret. | |
The individual verifies token functionality through a test system. |
Post-condition: Individual has an activated derived PIV credential that is ready for use.
Click here for a consolidated image of this use case.