Replacing the Primary Device (PIV Device)

The PIV Personal Identity Verification (technical standard of "HSPD-12") device was declared as lost or stolen and its credentials are suspended. The mobile device is unaffected, except for the shared encryption credential.

The replacement PIV device is issued and has a new encryption certificate so the mobile device needs to be updated in order to have the same shared encryption certificate.

Initial state:

An incident has been declared for the PIV device.
The derived mobile device is active but its encryption certificate is suspended.

Operations:

Issue the replacement PIV device. For details, see Requesting a Replacement Device. (The initial PIV device is then terminated automatically).
Create an applications update request for the mobile app certificates (using the Help Desk), in order to recover the new encryption certificate (manual operation). For details, see Requesting an Applications Update.
Update the mobile device (on the User Portal). For details, refer to the ActivID CMS User online documentation.

Result:

The replacement PIV device is issued with 3 new credentials as well as the previous encryption certificate (recovered). This device becomes the current PIV device for the end user.
The initial PIV device is terminated and its credentials are revoked (since it was declared lost or stolen).
The mobile device is updated by adding the new encryption certificate shared with the replacement PIV device.

Operation	Initial PIV Device	Replacement PIV Device	Mobile Device
1. Initial state	AUTH_1 SIGN_1 ENC_1	N/A	AUTH_2 SIGN_2 ENC_1
2. Issue replacement PIV device	AUTH_1 SIGN_1 ENC_1	AUTH_3 SIGN_3 ENC_2 ENC_1	AUTH_2 SIGN_2 ENC_1
3. Terminate initial PIV device	AUTH_1 SIGN_1 ENC_1	AUTH_3 SIGN_3 ENC_2 ENC_1	AUTH_2 SIGN_2 ENC_1
4. Create applications update request for mobile app certificates (Help Desk)	AUTH_1 SIGN_1 ENC_1	AUTH_3 SIGN_3 ENC_2 ENC_1	AUTH_2 SIGN_2 ENC_1
5. Update mobile device (User Portal)	AUTH_1 SIGN_1 ENC_1	AUTH_3 SIGN_3 ENC_2 ENC_1	AUTH_2 SIGN_2 ENC_2 ENC_1

Operation

Initial PIV Device

Replacement PIV Device

Mobile Device

1. Initial state

AUTH_1

SIGN_1

ENC_1

N/A

AUTH_2

SIGN_2

ENC_1

2. Issue replacement PIV device

AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

3. Terminate initial PIV device

AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

4. Create applications update request for mobile app certificates (Help Desk)

AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

5. Update mobile device (User Portal)

AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_2

ENC_1

Note: After a mobile device is updated with a new encryption certificate, the former certificate remains installed on the device unless it is manually removed; however, it is no longer displayed in the device profile on the Help Desk.