Derived Personal Identity Verification (PIV) Credentials

Executive Summary

• Misuse of identity, especially through stolen passwords, is a primary source for cyber breaches. Enabling stronger processes to recognize a user’s identity is a key component to securing an organization’s information systems.
• Access to federal information systems relies on strong authentication of the user with a Personal Identity Verification (PIV) Card. This “smart card” contains identifying information about the user that enables stronger authentication to federal facilities, information systems, and applications.
• Today, access to information systems is increasingly from mobile phones, tablets, and some laptops that lack an integrated smart card reader found in older, stationary computing devices, forcing organizations to have separate authentication processes for these devices.
• Derived PIV Credentials (DPCs) leverage identity proofing and vetting results of current and valid credentials used in PIV Cards for issuing credentials that are securely stored on devices without PIV Card readers.
• The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) built a laboratory environment to explore development of a security architecture that uses commercially available technology to manage the life cycle of DPCs.
• This NIST Cybersecurity Practice Guide demonstrates how organizations can provide multifactor authentication for users to access PIV-enabled websites from mobile devices that lack PIV Card readers.