Mobile Derived PIV/CAC Credential
A Complete Solution for NIST 800-157
The Need for Mobile Derived Credentials
As US Government agencies establish plans to embrace mobile devices as alternatives to traditional desktop computers, special consideration must be given to ensure compliance with HSPD12 / FIPS 201 Personal Identity Verification (PIV) requirements. As such, NIST specification 800-157 outlines how PIV identities can be implemented and deployed directly on mobile devices. The mobile PIV credential is called a Derived PIV Credential.
The Entrust Mobile Derived Credential solution provides government agencies and contractors with a comprehensive, frictionless, and proven solution for placing Derived PIV Credentials onto mobile devices. Entrust Mobile Derived Credentials are easily accessed by employees and help harness the power of mobile as the new desktop by providing secure, anywhere anytime access to work files and systems.
Entrust has put together a whitepaper to help you understand the need for mobile derived credentials.
The First Complete Mobile Derived Credential Solution
- Deriving Trust from Bound Identities
The Entrust IdentityGuard Mobile Smart Credential application is encoded like a PIV smartcard, with a digital structure that follows the current PIV standard. This allows the Mobile Smart Credential to be encoded by Entrust IdentityGuard with the same certificate types and use the same communication language traditionally used on a physical PIV smartcard. The Entrust IdentityGuard Mobile Smart Credential is available for use on Apple iOS, Google Android and BlackBerry mobile operating systems.
- Self-Service Capabilities
Entrust IdentityGuard is unique in its ability to provide a Self-Service Module (SSM); granting users’ access to request and manage their Derived PIV Credentials without the need for administrative interaction. This approach helps reduce operational costs by limiting the need to deploy specialized enrollment stations and kiosks abroad for derived credential enrollment.
- PIN Unlock, Reset via SSM
Unlike PIV smartcards, PIN unblock and reset is easily self-managed through both the Entrust IdentityGuard SSM and directly on the mobile device through the Entrust Mobile Smart Credential application. With this solution, there is no need for a specialized kiosk for derived credential issuance and management. If policy does not allow for users to unlock or reset their derived credential PIN, or if the user loses their mobile device, the SSM allows for the old derived credential to be quickly suspended or revoked.
The Derived Credential Enrollment Process
Entrust IdentityGuard can be configured for several different Derived PIV Credential activation methods, providing the most flexible solution to meet the needs of various policies and requirements. These activation methods include:
- QR Code with password displayed
- QR Code with password via encrypted email
- Email with password displayed
- Email with password via encrypted email
These various activation options provide multiple, secure workflows for allowing a user to generate and activate their Derived PIV Credential.
Use Cases & Authentication Methods
There are two main ways a derived credential could be leveraged to increase security.
- The first is to provide access to certificate-enabled mobile applications for authentication directly through the mobile device – removing the need for username and password.
- The second is to use the derived credential to provide logical access to a traditional workstation or laptop; similar in how a PIV smartcard is used for SCLO
An advantage of the Entrust Mobile Smart Credential application is that both methods of access can be easily configured, and are enhanced through Entrust partnerships with other leaders in the mobile device industry.
Easily support the diverse needs of people to securely access and transact across networks, applications, devices, and physical locations. Entrust Datacard offers a broad range of authentication solutions that help organizations respond and stay ahead in a more mobile, connected and ever-changing world.
Transform your business and protect against breaches and fraud while staying in compliance with corporate and government regulations. Entrust Datacard leverages proven industry experience to deliver trusted identity and authentication solutions that help organizations support the needs of increasingly mobile and connected people, systems, and devices.
Get Started Now
As U.S. federal agencies continue to investigate their options to bring standard enterprise and mission-critical applications securely to employees’ mobile devices, the Entrust Mobile Smart Credential solution is highly attractive to enterprise road warriors, field workers and government organizations that require high assurance trusted IDS. By partnering with key technology players, Entrust Datacard supports and solves some of the most commonly requested use cases in a variety of government agencies at many different levels with the Entrust IdentityGuard Mobile Derived Credential solution that is ready for deployment today.