3.2 PIV card issuance
The card issuance process is as follows:
-
Approve the applicant
Before you can request a card for a person, you must mark the completion of their PIV enrollment and approve them to be issued a PIV card. This also allows you to set the vetting date and apply a maximum expiry date for any credentials they are issued.
Use the Status tab and the Approve Person option on the View Person screen.
See the Setting the person's status and Approving user data sections in the MyID Operator Client guide.
-
Request
A card request is made in MyID to create a job for issuance. A credential profile is selected for use, and optionally an expiry date set.
Use the Request Device option on the View Person screen to collect the device.
See the Requesting a device for a person section in the MyID Operator Client guide.
-
Approve
The card request is reviewed and either approved or rejected. The credential profile and expiry date is reviewed and if necessary amended.
To include a validation stage in the process, set the Validate Issuance option on the credential profile.
Use the Approve Request option on the View Request screen to collect the device.
See the Approving, rejecting, and canceling requests section in the MyID Operator Client guide.
-
Assign
The card to be issued is assigned to the user account, card security is configured (Administrator PINs and keys are set) and the card surface is printed.
Use the Collect option on the View Request screen to collect the device.
See the Collecting a device request section in the MyID Operator Client guide.
You can also use the Batch Collect Card workflow; see the Collecting a batch of cards section in the Operator's Guide for details.
Note: Do not use the Issue Card workflow. This does not support the PIV card issuance process.
-
Personalize
The electronic data within the applet is written, including the FASC-N, CHUID, Printed Information and Biometric data. Certificates are generated and written to the card.
If you want to personalize the card electronically (including certificate issuance) before the cardholder carries out the activation process, you can choose when this takes place in MyID. This is optional – if you do not personalize the card at this stage, the electronic personalization takes place during card activation.
Card personalization can take place at the following points in the process:
-
During the Collect or Batch Collect Card processes, at the same time as the Assign step.
-
Using the Batch Encode Card workflow as a separate encoding stage.
Additional checks are made during this process to ensure that:
-
The PIV card expiry date does not exceed the lifetime of the signing certificate.
-
The biometric data will not expire during the lifetime of the card.
-
Facial biometric data is present for the applicant.
-
-
Activate
Make sure that the credential profile is set up to use activation. Set the Require Activation option to Allow self collection or Assisted activation only.
The cardholder authenticates to MyID using fingerprint verification – set the Require fingerprints at Issuance option in the credential profile – sets the user PIN, and activates the card. The card is now fully issued and can be used.
The cardholder can carry out a self-service activation using the Self-Service App or through the self-service menu in the MyID Operator Client; see the Collecting self-service requests section in the MyID Operator Client guide.
Alternatively, an operator can guide the cardholder through activation using the Assisted Activation option on the View Device screen, depending on how you have set the Require Activation option in the credential profile; see the Activating a device section in the MyID Operator Client guide.
Note: MyID uses the term "activation" to refer to the final handover stage of the PIV card to the cardholder.
You can also combine the personalization and activation stages; however, as it may take some time to generate four 2048-bit key pairs on a card during the personalization stage, if you want to keep the cardholders' time spent interacting with MyID to a minimum, it is recommended that you personalize the cards before the cardholders activate them.
Note: FIPS 201-3 requires more than one person to be involved in issuing a PIV card. MyID will not permit the same person to request and validate, or validate and collect a PIV card. However, MyID allows the same operator to request and collect a card – if you do not have a validation stage, you can use the Edit Roles workflow to assign the request and collect workflows to different roles and ensure that more than one person is involved in issuing a PIV card.
3.2.1 Cardholder authentication
With self-service activation, the cardholder is prompted to provide a fingerprint for authentication before the card can be activated. If the cardholder cannot verify their fingerprints, they will not be able to activate their card without assistance from a MyID operator.
The Assisted Activation operation can be used to allow fingerprint authentication to be retried – if a fingerprint match still cannot be achieved, the operator can override the need for fingerprint verification.
In situations where the identity of the cardholder needs to be proven before carrying out an operation on their behalf, such as activating a card, the Authenticate Person workflow can be used to record how the cardholder was identified. This operation allows details of the identity documents (approved for use for identification in FIPS 201-3) to be recorded and stored as part of the MyID audit records for future reference. Details of the authentication can be viewed in the Audit History tab of the cardholder's user account record in MyID. See the Authenticating a person section in the MyID Operator Client guide.