Derived Credentials

A Derived Credential is a client certificate generated on a mobile device (or issued) after an end user proves their identity by using their existing smart card (CAC or PIV) during an enrollment process.

Derived Credentials provides government agencies and contractors with a solution for replacing Smart Card Authentication on mobile devices to meet high security requirements in the government sector. Both the Department of Defense (DoD) and all Federal civilian agencies must use smart cards for physical and network access. It is easy to integrate Smart cards with laptops and desktops because laptops have built-in smart card readers, and desktops use USB-based smart card readers. Also, desktops and laptops support smart cards at the operating system level so any application that runs on the operating system use the smart card. With the vast use of mobile devices as the primary method of access to internal resources, federally controlled information systems and applications changed how authentication is done.

To meet this need, NIST updated FIPS 201 standards to include “Guidelines for Derived Personal Identification Verification (PIV) Credentials.” Instead of using the CAC or PIV Card like laptop and desktops, this new standard provides guidelines for how to generate and use an alternative token, which can be implemented and deployed directly with mobile devices. This newly derived PIV credential is called a derived credential or PIV-D.

VMware PIV-D Manager

VMware PIV-D Manager is a mobile application that integrates with various Derived Credential solution providers enabling the use of Derived Credentials with Workspace ONE UEM.

Derived Credentials Solutions Supported by Workspace ONE UEM

There are multiple government off the shelf (GOTS) and commercially off the shelf (COTS) providers in the market today to use for Derived Credentials. The available vendors currently supported with the PIV-D Manager app are DISA Purebred, Entrust IdentityGuard, Intercede MyID, XTec, and Workspace ONE UEM. Once the app is configured in the Workspace ONE™ UEM console, the user follows the steps for the corresponding vendor configured for their device.