3.2 Setting the configuration options

This section contains information on the MyID configuration options that control the way MyID issues derived credentials.

3.2.1 Determining which cards are available for derived credentials

You may want to configure your system to issue derived credentials only from cards that have been issued by specific federal agencies. To do this, you can match the agency code in the FASC-N.

To determine which cards you can use to request derived credentials:

  1. From the Configuration category, select the Operation Settings workflow.
  2. Click the Certificates tab.

  3. Set the following options:

    • Cards Allowed For Derivation

      Set this option to a regular expression that will be matched against the ASCII version of the card's FASC-N to determine whether the card can be used to request derived credential. If the regular expression matches, the card can be used.

      For example:

      5400.+

      This example allows any card from the agency with code 5400 to be used. The agency code appears at the start of the ASCII FASC-N.

      Note: By default, this option is blank, which means that no cards can be used to request derived credentials. To allow all cards to be used, use the following regular expression:

      .+

  4. Click Save changes.

Note: This option is also used to determine which PIV cards can be imported. See the Setting the configuration options section in the Importing PIV Cards guide for details.

3.2.2 Setting the credential check period

By default, seven days after MyID issues derived credentials, it checks the original credentials that were used to request the derived credentials. If, during this period, the original credentials became no longer valid (for example, if the smart card was canceled), MyID revokes the derived credentials.

The full device is canceled, not individual certificates on the device. If the device has archived certificates issued as derived credentials, these are also revoked, in addition to the authentication and signing certificates.

Note: MyID does not distinguish between the certificate being suspended or revoked; if it is on the CRL, it revokes the derived credentials.

The reason for cancellation is included in the audit information for troubleshooting purposes; this states that it was due to the PIV certificate being revoked. If your system is configured for device cancellation notifications, these are sent for the revoked derived credentials.

You must make sure that MyID can access the CRL. If the CRL is not available, MyID does not carry out any revocation, and logs the error in the audit trail. There may be a lag between the PIV issuer revoking the PIV credential and the CRL being updated and republished.

You must make sure that the PIV Issuer carries out PIV card revocation in appropriate situations; this feature relies on this step occurring to identify and trigger the revocation of derived credentials.

You can adjust the time period for the credential check.

Alternatively, you can configure MyID to repeat the revocation check at regular intervals. In this case, MyID checks the status of the original credentials at the specified interval until the issued derived credentials are canceled or have expired.

To configure the credential checks:

  1. From the Configuration category, select Operation Settings.

  2. On the Certificates tab, set the following:

    • Derived credential revocation check offset – set to the number of days after issuing derived credentials that you want MyID to check the original credentials.

    • Derived Credential Revocation Check Interval – set to the number of hours between repeated checks of the original credentials. By default this is 0, which means that the check is not repeated.

      Note: If you set this option to a value greater than 0, it overrides the Derived credential revocation check offset setting.

  3. Click Save changes.

3.2.3 Configuring certificate OIDs checked on PIV cards

When a PIV card is presented to the derived credential kiosk, MyID verifies that the cardholder can perform two factor authentication with the PIV card, performing the PKI‑AUTH check to verify the PIV-Authentication certificate.

Additionally, MyID verifies the Digital Signature certificate.

These certificate checks ensure that the certificate is valid and was issued from a CA that chains up to a root certificate in the DerivedCredentialTrustedRoots store.

It also checks that the end-user certificate contains the correct OID to mark it as a PIV‑Authentication or Digital Signature certificate.

By default, MyID is configured with the OIDs required by FIPS201-2; however, you can change the OIDs if required (for example, for a CIV certificate).

To configure the OIDs:

  1. From the Configuration category, select Operation Settings.

  2. On the Certificates tab, set the following:

    • Derived credential certificate OID – set this to the OID to be checked on the PIV Authentication certificate.

      The default value is

      2.16.840.1.101.3.2.1.3.13

    • Derived credential signing certificate OID – set this to the a semicolon-delimited list of OIDs to be checked on the Digital Signature certificate.

      The default value is

      2.16.840.1.101.3.2.1.3.6;2.16.840.1.101.3.2.1.3.7;
      2.16.840.1.101.3.2.1.3.16

  3. Click Save changes.

3.2.4 Determining whether fingerprints are required for derived credentials

By default, MyID requires biometric verification to collect derived credentials. The user's fingerprints are checked against the sample stored on the card; the biometric sample is not imported into MyID.

If the smart cards onto which you want to collect derived credentials does not support biometric verification (for example, VSCs) you must set this option to No.

You can switch this option on or off:

  1. From the Configuration category, select Operation Settings.

  2. On the Biometrics tab, set the following:

    • Require fingerprints for derived credentials – set this to Yes to require fingerprint verification to collect derived credentials, or No to allow the collection of derived credentials without fingerprint verification.

  3. Click Save changes.

3.2.5 Updating MyID with the email address from the certificate

MyID can obtain an email address from a certificate on the deriving credential. You can configure whether to update the MyID record with this email address.

To set this option:

  1. From the Configuration category, select the Operation Settings workflow.
  2. Click the Certificates tab.

  3. Set the following option:

    • Update email address from derivation

      Set this option to Yes to update the MyID record for the derived credential owner with the email address obtained from the certificate used for derivation.

      The default is No.

  4. Click Save changes.

3.2.6 Limiting the lifetimes of derived credentials

You may want to configure your system to limit the lifetime of derived credentials to the lifetime of the certificate used to request them.

Note: Some CAs do not allow control over the time portion of the certificate expiry. When MyID sets the lifetime of the derived credential, the date is aligned with the lifetime of the deriving certificate, but the time may not match exactly, depending on the certificate authority being used.

To limit the lifetime of derived credentials:

  1. From the Configuration category, select the Operation Settings workflow.
  2. Click the Certificates tab.

  3. Set the following option:

    • Limit derived credential lifetime to deriving credential

      Set this option to Yes to ensure that any derived credentials created do not exceed the lifetime of the deriving certificate. If the lifetime of the derived credential (as determined by the Lifetime setting in the credential profile or the Maximum credential expiry date set for the person) is greater than the lifetime of the certificate in the PIV Authentication container, the lifetime of the derived credential is lowered to match the expiry date of the deriving certificate.

      The default is No.

  4. Click Save changes.