About Derived Credentials

In ActivID CMS, the ability to issue credentials (mobile app certificates) on a mobile device depends on the existence of another credential managed by ActivID CMS, considered a “primary” credential: a smart card or a virtual smart card (VSC). The enrollment process required for the issuance of the primary credential, such as capturing user data (name, email address, phone number, picture, fingerprint, ID or passport documents, etc.) and the following vetting system (background check, identity proofing), does not need to be repeated when issuing new credentials to the same user. Instead, ActivID CMS can issue a new credential (“derived credential”) to the same user based on the validity of the earlier credential (“primary credential”).

ActivID CMS will maintain a link between the primary and derived credentials – but each credential will contain separate certificates and have their own lifecycle. For example, a user may get a replacement device and keep the same mobile app certificates unchanged; or vice versa, a user may get a new phone, without impacting his/her smart card.

In the case of encryption certificates, ActivID CMS will issue the same encryption certificate on all devices assigned to a given user, to enable viewing encrypted emails whatever system is used to access them (for example, a Windows PC or a mobile phone).

ActivID CMS is designed for compliance with “Derived PIV Credentials,” as defined in NIST National Institute of Standards and Technology FIPS Federal Information Processing Standard 201-2 and NIST SP 800-157. In this model, the “primary credential” is a PIV Personal Identity Verification (technical standard of "HSPD-12"), PIV-I Personal Identity Verification - Interoperable or CIV Commercial Identity Verification card, containing Authentication, Signature and Encryption certificates, and the associated mobile device (phone or tablet) is a “derived PIV credential” also containing Authentication, Signature and Encryption certificates.

For each user, the primary device (PIV, PIV-I or CIV card) must be issued first. New authentication, signature and encryption certificates are present on each card; the encryption certificate is escrowed on the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. by ActivID CMS and now considered a “shared encryption credential.” When the mobile app certificates are issued, new signature and authentication certificates are created for the mobile device; the “shared encryption” certificate is recovered on the mobile device.

For added security, the system checks the validity of the primary device (PIV device) again 7 days after the issuance of a PIV derived credential. If the PIV device had been reported as stolen during that period, the mobile device is then terminated.

The link between a primary device and its derived device(s) is managed automatically by ActivID CMS: no additional operation is required from a Help Desk operator.

More specifically, this means:

  • Any revocation action performed on a shared encryption certificate automatically revokes the encryption certificates on all devices where it is present (card or mobile device).

  • When a user name changes, requiring a PIV device update, an operator can also request similar updates for any derived credentials.

  • Terminating a primary device (with no replacement issued) also terminates all its derived devices automatically.

Important: To avoid inadvertent termination of derived credentials, it is not recommended to issue a derived credential from a temporary card or, in a FIPS 201-compliant environment, when the primary PIV credential is going to expire in less than 7 days.