Derived PIV/CAC Credential


Simplicity and Security for Mobile Users

Entrust Datacard™ Derived PIV/CAC Credentials solution enables organizations to harness the power of mobile by providing secure, anywhere, anytime access to applications, work files and systems. Our end-to-end solution streamlines deployment, user enrollment and credentials management, and aligns with NIST SP 800-157 for compliance with the HSPD12/FIPS 201-2 Personal Identity Verification (PIV) requirements.

Read Solution Brief

Get Started Now

By partnering with key technology players, Entrust Datacard supports and solves some of the most commonly requested use cases in a variety of government agencies at many different levels with the Entrust IdentityGuard Mobile Derived Credential solution that is ready for deployment today.

A Complete Solution for NIST 800-157

The Need for Mobile Derived Credentials

As U.S. Government agencies establish plans to embrace mobile devices as alternatives to traditional desktop computers, special consideration must be given to ensure compliance with HSPD12 / FIPS 201 Personal Identity Verification (PIV) requirements. As such, NIST specification 800-157 outlines how PIV identities can be implemented and deployed directly on mobile devices. The mobile PIV credential is called a Derived PIV Credential.

The Entrust Datacard Mobile Derived Credential solution provides government agencies and contractors with a comprehensive, frictionless, and proven solution for placing Derived PIV Credentials onto mobile devices. Entrust Datacard Mobile Derived Credentials are easily accessed by employees and help harness the power of mobile as the new desktop by providing secure, anywhere, anytime access to work files and systems.

Entrust Datacard has put together a white paper to help you understand the need for mobile derived credentials.

The First Complete Mobile Derived Credential Solution

Deriving Trust from Bound Identities
The Entrust IdentityGuard Mobile Smart Credential application is encoded like a PIV smartcard, with a digital structure that follows the current PIV standard. This allows the Mobile Smart Credential to be encoded by Entrust IdentityGuard with the same certificate types and use the same communication language traditionally used on a physical PIV smartcard. The Entrust IdentityGuard Mobile Smart Credential is available for use on Apple iOS, Google Android and BlackBerry mobile operating systems.

Self-Service Capabilities
Entrust IdentityGuard is unique in its ability to provide a Self-Service Module (SSM); granting users’ access to request and manage their Derived PIV Credentials without the need for administrative interaction. This approach helps reduce operational costs by limiting the need to deploy specialized enrollment stations and kiosks abroad for derived credential enrollment.

PIN Unlock, Reset via SSM
Unlike PIV smartcards, PIN unblock and reset is easily self-managed through both the Entrust IdentityGuard SSM and directly on the mobile device through the Entrust Mobile Smart Credential application. With this solution, there is no need for a specialized kiosk for derived credential issuance and management. If policy does not allow for users to unlock or reset their derived credential PIN, or if the user loses their mobile device, the SSM allows for the old derived credential to be quickly suspended or revoked.

The Derived Credential Enrollment Process


Entrust IdentityGuard can be configured for several different Derived PIV Credential activation methods, providing the most flexible solution to meet the needs of various policies and requirements. These activation methods include:

    • QR Code with password displayed
    • QR Code with password via encrypted email
    • Email with password displayed
    • Email with password via encrypted email

    These various activation options provide multiple, secure workflows for allowing a user to generate and activate their Derived PIV Credential.

    Use Cases & Authentication Methods

    There are two main ways a derived credential could be leveraged to increase security.

      • The first is to provide access to certificate-enabled mobile applications for authentication directly through the mobile device – removing the need for username and password.
      • The second is to use the derived credential to provide logical access to a traditional workstation or laptop; similar to how a PIV smartcard is used for SCLO

      An advantage of the Entrust Mobile Smart Credential application is that both methods of access can be easily configured, and are enhanced through Entrust partnerships with other leaders in the mobile device industry.

      Technical Support

      Support Your System

      Get downloads, documentation and support for your On-Demand Card Issuance products:

      Need More Help?

      For immediate assistance Entrust Datacard has Customer Care Centers that are available to serve customers in the Americas, EMEA, and Asia Pacific regions.


      Measurable Benefits

      purple people icon


      Easily support the diverse needs of people to securely access and transact across networks, applications, devices, and physical locations. Entrust Datacard offers a broad range of authentication solutions that help organizations respond and stay ahead in a more mobile, connected and ever-changing world.

      gold lock icon


      Transform your business and protect against breaches and fraud while staying in compliance with corporate and government regulations. Entrust Datacard leverages proven industry experience to deliver trusted identity and authentication solutions that help organizations support the needs of increasingly mobile and connected people, systems, and devices.