2.3 The derived credentials process

The process is as follows:

  1. You collect and activate a smart card from MyID.

    Alternatively, you obtain a smart card from another system.

  2. At the Self-Service Kiosk, insert your issued smart card.
  3. If required, validate your fingerprints.
  4. Request a derived credential based on your original credential.

  5. Follow the collection procedure for the type of derived credential you need.

    For mobile identities:

    1. If you do not already have the MyID Identity Agent app, the Kiosk displays a QR code that allows you to download the app.

      You must configure the appropriate URLs for each mobile platform you are using – see the Issuance Processes page (Operation Settings) section in the Administration Guide for details of the App Download URL configuration options on the Issuance Processes page of the Operation Settings workflow.

      Note: You can configure MyID to display an alternative text-based URL that you can type in as an alternative to scanning the QR code. For details, contact customer support, quoting reference SUP-180.

    2. Open the MyID Identity Agent app and scan the displayed QR code.
    3. The MyID Identity Agent app downloads the certificates and badge layouts.
    4. Your device now contains a mobile identity derived from your original credentials.

    For Microsoft VSC-based derived credentials:

    1. If a one-time password is displayed on screen, take a note of this.

      Note: To make use of a logon code, the user must have a SAM account name, otherwise the Self-Service App is unable to target the job when the user logs into their workstation. You must also make sure that the Allow Logon Codes configuration option (on the Logon page of the Security Settings workflow) is set to Yes.

    2. Check your email for instructions on installing the VSC on your PC.

      Note: The user must have an email address registered within MyID. For imported users with cards issued by another system, they must have an email address attribute mapping in their signing and encryption certificates, as otherwise MyID cannot send an email notification to initiate collection of a VSC.

  6. The derived credentials can be managed by MyID independently of the original credential – you can disable or cancel them.

    Note: To renew or replace a derived credential, you must cancel the derived credential then repeat the original request process. This ensures all required derived credential verification steps take place.

  7. After seven days, MyID performs a revocation check against the PIV Authentication certificate used during the request for derived credentials. If this certificate has been revoked, MyID revokes the derived credentials.