9. Create and Issue Derived PIV
When a federal employee or contractor requires PIV authentication, but using their PIV card is not practical, using a derived PIV may be an option. A derived PIV is a secure, reliable, federally issued credential issued to a mobile device, generally a smartphone or tablet, that allows an individual to use their mobile device in place of their PIV card. An individual must first have been issued a PIV card in order to be eligible for a derived PIV.
A derived PIV can be either LOA3 or LOA4. An LOA3 derived PIV uses either software or hardware to connect with a mobile device, whereas an LOA4 derived PIV must be a hardware token.
Pre-condition: An individual has a mobile device and an existing PIV credential.
|An individual requests a derived PIV from an approved authority.|
|The approval authority reviews the request. If valid, it is approved.|
|The individual contacts a CSP that provides derived PIVs and is authenticated using their PIV card.
Authentication may occur virtually (LOA3) or in person (LOA3 & LOA4).
|The CSP generates the credential token and securely issues it to the individual. The issuer could be a person or a system.|
|The credential is securely issued to the individual’s mobile device.|
|The individual is prompted to activate the token by establishing a shared secret.|
|The individual verifies token functionality through a test system.|
Post-condition: Individual has an activated derived PIV credential that is ready for use.
Click here for a consolidated image of this use case.