In 2005, Personal Identity Verification (PIV) credentialing focused on authentication through traditional computing devices, such as desktops and laptops, where a PIV card would provide a common authentication through integrated smart card readers. Today, the proliferation of mobile devices that do not have integrated smart card readers complicates PIV credentials and authentication.
Derived Personal Identity Verification (PIV) Credentials will help organizations authenticate individuals who use mobile devices and need secure access to information systems and applications.
The goal of the building block effort is to demonstrate a feasible security platform based on federal PIV standards that leverages identity proofing and vetting results of current and valid PIV credentials to enable two-factor authentication to information technology systems via mobile devices while meeting policy guidelines. Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity and supports operations in federal (PIV), non-federal critical infrastructure (PIV-interoperable or PIV-I), and general business (PIV-compatible or PIV-C) environments.
The NCCoE reference design includes the following capabilities:
- authenticate users of mobile devices using secure cryptographic authentication exchanges
- provide a feasible security platform based on Federal Digital Identity Guidelines
- utilize a public key infrastructure (PKI) with credentials derived from a PIV card
- support operations in a PIV, PIV-Interoperable (PIV-I), and PIV-Compatible (PIV-C) environments
- issue PKI-based derived PIV credentials at levels of assurance (LoA) 3
- provide logical access to remote resources hosted either in a data center or the cloud