Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Derived Personal Identity Verification (PIV) Credentials



William D. Newhouse


Federal Information Processing Standards (FIPS) Publication 201-2, “Personal Identity Verification (PIV) of Federal Employees and Contractors,” establishes a standard for a PIV system based on secure and reliable forms of identity credentials issued by the federal government to its employees and contractors. These credentials are intended to authenticate individuals to federally controlled facilities, information systems, and applications as part of access management. With the emergence of computing devices, such as tablets, hybrid computers, and, in particular, mobile devices, the use of Personal Identity Verification (PIV) Cards has proved to be challenging. To extend the value of PIV systems into mobile devices that do not have PIV Card readers, NIST developed technical guidelines on the implementation and life cycle of identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV Card. These NIST guidelines, published in 2014, describe Derived PIV Credentials (DPCs) that leverage identity proofing and vetting results of current and valid PIV credentials. To demonstrate the DPC guidelines, the NCCoE at NIST built two security architectures by using commercial technology to enable the issuance of a Derived PIV Credential to mobile devices that use Federal Identity Credentialing and Access Management shared services. One option uses a software-only solution while the other leverages hardware built into many computing devices used today. This project resulted in a freely available NIST Cybersecurity Practice Guide that demonstrates how an organization can continue to provide multifactor authentication for users with a mobile device that leverages the strengths of the PIV standard. Although this project is aimed primarily at the federal sector’s needs, it is also relevant to mobile device users with smart- card-based credentials in the private sector.
Special Publication (NIST SP) - 1800-12
Report Number


cybersecurity, Derived PIV Credential (DPC), Enterprise Mobility Management (EMM), identity, mobile device, mobile threat, multifactor authentication, personal identity verification (PIV), PIV Card, smart card


Newhouse, W. (2019), Derived Personal Identity Verification (PIV) Credentials, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed February 21, 2024)
Created August 27, 2019, Updated January 27, 2020