MyID Derived Credentials & Mobile Authentication
Overview
MyID Derived Credentials provides NIST SP 800-157-compliant derived PIV credentials for mobile devices, extending the identity established on a physical smart card to smartphones and tablets. The MyID Authenticator app enables mobile authentication into cloud resources and corporate systems using these derived credentials or FIDO authentication, maintaining strong identity assurance without requiring users to carry and present physical smart cards for every access event.
Unsung implements derived credential solutions for UK customers in government and defence environments where users hold PKI smart cards but need to authenticate from mobile devices without compromising the assurance level of their identity credentials.
The Challenge
Organisations that have invested in PKI smart card authentication face a mobility challenge: smart cards provide strong authentication at desktop workstations with card readers, but users increasingly need to access systems and resources from smartphones and tablets where physical smart card readers are impractical. Simply issuing separate, unlinked mobile credentials undermines the identity assurance model because the mobile credential is not cryptographically bound to the original, vetted smart card identity.
Derived credentials solve this by creating mobile certificates that are cryptographically linked back to the user’s original PIV or smart card identity, maintaining the chain of trust whilst enabling mobile access. However, managing derived credentials — issuance, lifecycle, and revocation — requires integration between the credential management system, mobile device management, and the underlying PKI.
What It Does
MyID Derived Credentials manages the process of deriving mobile certificates from existing PIV or smart card identities. The derived credential is cryptographically bound to the original identity, ensuring that the mobile credential carries the same identity assurance as the physical card from which it was derived. If the original smart card is revoked, the derived mobile credential is also revoked, maintaining consistency across all credential forms.
The MyID Authenticator app provides the mobile authentication client, enabling users to authenticate to cloud services, corporate applications, and VPN connections using their derived credential. The app supports both PKI-based certificate authentication and FIDO protocols, giving organisations flexibility in how they implement mobile authentication whilst maintaining strong identity assurance.
How Unsung Helps
Unsung helps clients extend their existing smart card PKI to mobile devices through derived credential implementations. Our consultants design the integration between MyID, the organisation’s existing PKI, and their mobile device management platform to ensure a seamless credential lifecycle. Our PKI Consultancy service provides guidance on mobile authentication strategy and derived credential architecture.
Related Unsung Services
PKI Consultancy — Advisory on mobile authentication strategy and derived credential architecture.
PKI Design & Build — Design and implementation of mobile credential environments.
Certificate Lifecycle Management — Lifecycle management across smart card and derived mobile credentials.
