2.5 FIPS 201-3 and derived credentials
MyID derived credentials comply with the requirements of FIPS 201-3 in the following ways.
|
FIPS 201-3 Compliance |
MyID Derived Credentials |
|---|---|
|
Identity Level of Assurance 3 (LOA3) – Remote Identity Collection |
The applicant approaches the Self-Service Kiosk and inserts their PIV card. |
|
Applicant Must Demonstrate Possession and Control of the Related PIV Card |
The PIV card is validated to ensure that it has not been tampered with. |
|
Applicant Must Demonstrate Possession and Control of the Related PIV Card |
The applicant enters their PIN for PIV card authentication. |
|
The Applicant Shall Identify Himself/Herself Using a Biometric Sample That Can be Verified Against the Applicant’s PIV Card |
The applicant completes fingerprint verification. |
|
Validate Identity Certificate to Federal Bridge |
The PIV Auth Cert on the card is checked to ensure that it is valid and has not been revoked. |
|
Promptly notify the cardholder of the binding of a derived PIV credential |
MyID can notify the applicant by email that a request for derived credentials has been made. The email address can be retrieved, if available, from certificates on the PIV Card when using the MyID Self Service Kiosk. An email address can be added using synchronization to Active Directory to retrieve the information. MyID can be configured to reject derived credential requests where an email address is not present for the applicant in MyID. |
|
Key Generation on FIPS 140-2 level 1 Software Cryptographic Module (iOS) |
Certificates/keys are provisioned to a FIPS 140-2 validated credentials store on the mobile device. |
|
7 Day Revocation Check if Card is Revoked Within 7 Days After Issuance of Derived Credentials |
The applicant's original PIV card is validated 7 days after initial issuance of derived credentials. |
|
All Communications Shall be Authenticated and Protected from Modification |
Communication is secured during the derived credentials process. |
|
The Issuer of the Derived PIV Credential Shall Implement a Process that Maintains a Link Between the Subscriber’s PIV Card and the Derived PIV Credential to Enable the Issuer of the Latter Credential to Track the Status of the PIV Card in Order to Perform Timely Maintenance and Termination Activities in Response to Changes in the Status of the PIV Card. |
The applicant's PIV card and derived credentials are linked to ensure that credentials can be managed effectively. |
|
When invalidation occurs, the issuer shall notify the cardholder of the change |
MyID can send an email notification to the credential owner when derived credentials are cancelled. |