Entrust to add support for YubiKeys with PIV alternative and PIV derived credentials, advancing secure mobile and desktop authentication

June 16, 2021 5 minute read

Today marks an important day for expanding Yubico’s reach to support the growing requirement for Government agencies to issue government credentials beyond Personal Identity Verification (PIV) cards. We are celebrating that our partner Entrust will soon launch support for derived PIV credentials for YubiKeys. Customers will be able to take advantage of YubiKeys with derived PIV credentials using either Entrust’s Managed PKI service or Identity platform. 

Entrust Identity is an integrated IAM (Identity Access Management) platform that supports a full suite of workforce, consumer, and citizen use cases. YubiKey support is included with Entrust Identity Enterprise. As well, Identity Enterprise joins Identity as a Service and Identity Essentials as part of the Works with YubiKey program.

With Entrust support for YubiKeys, government agencies will be able to issue YubiKey 5 Series and YubiKey 5 FIPS Series with derived PIV credentials to employees instantly, remotely, and at scale. 

“Extending support of Personal Identity Verification (PIV) for Yubico is a critical requirement for our mutual customers’ success,” stated James LaPalme, VP and General Manager, Identity Business Unit, Entrust. “We are pleased to work with Yubico to help government agencies realize strong purpose-built authentication that is also mobile friendly.”

The United States Federal Government has been issuing strong cryptographic hardware authentication devices to its civilian employees and contractors for more than 15 years. These devices, called PIV cards, combine a strong Public Key Infrastructure (PKI) credential with a robust identity proofing and background check process on a physical smart card. Issuance and use of the PIV card is mandated by a number of laws, regulations, and mandates for all Federal employees and contractors who need to access Federal Government IT systems, applications, and data. As a result of the intensive identity proofing process, the PIV card issuance process provides a strong anchor that can be used to assert an identity. 

Unfortunately, while providing a high level of security, the smart card form factor presents a number of barriers for today’s mobile and desktop environments. Smart cards must be used with a smart card reader during the authentication process, creating challenges while using PIV cards to authenticate to portable devices and tablets. Furthermore, external smart card readers can introduce additional complexity to use and are expensive to deploy and maintain at scale. 

Adoption of smart card form factors has also been limited for teleworkers as highlighted by COVID-19, where usage of employee’s personal devices to access government networks and applications remotely has increased, thus requiring the need for yet another external smart card reader for users personal laptops and desktops. 

To address the above issues, NIST developed guidance around the issuance of Derived PIV credentials in Special Publication 800-157. A derived credential is an alternate credential that is “derived” from the eligibility for a PIV card. To date, these derived credentials are normally PKI certificates stored on mobile devices, but this can present security concerns when stored on non-GFE (government furnished equipment) that are not actively managed or patched.

Why should derived PIV credentials be on YubiKeys and how can this fit into the recent Biden Executive Order?

Storing a Derived PIV credential on a hardware security key, such as the YubiKey 5 FIPS Series, provides the following important benefits.

  • The private key resides on the YubiKey, purpose-built external authenticator that is solely focused on authentication and encryption that minimizes the attack surface.
  • The credential can be generated on the YubiKey, keeping the private key secure, versus generating the credential elsewhere and importing it onto a mobile device.
  • The external authenticator can be validated at a higher authenticator assurance level than offered by a mobile device. The YubiKey 5 FIPS Series is FIPS 140-2 validated Overall level 2, Physical Security Level 3 (Certificate #3914). 
  • The YubiKey with the loaded credential can act as a portable root of trust, enabling remote and teleworking employees and contractors to securely authenticate to government networks and applications via Bring Your Own Approved Device (BYOAD).
  • YubiKey’s latest form factors with USB-C, lightning, and NFC allow for the ‘tap-and-go’ usability needs of mobile users by easily and seamlessly enabling authentication across multiple devices such as desktop computers, laptops, mobile devices, and tablets.
  • YubiKeys don’t require batteries or a network connection, are crush resistant, waterproof, and dustproof, making them ideal for front-line and off-site focused work scenarios. 

We are also extremely excited that this integration with Entrust comes at the heels of our YubiKey 5 FIPS Series launch that enables our customers to meet the requirements for Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B. Being able to be secure and compliant with this partnership has never been easier, we are confident this will bring a whole new scale adoption to help secure Federal infrastructure and data.

PIV alternative, PIV derived credentials, and FIDO2

In addition to PIV and derived PIV support in Identity Enterprise, Entrust also supports FIDO2 credentials with Identity as a Service. FIDO2 credentials, similar to PIV, leverage asymmetric cryptography providing strong hardware-backed authentication. Entrust’s Identity as a Service offering allows users to register a FIDO2 credential that is securely stored in a YubiKey. Leveraging the same YubiKey for PIV and FIDO2 credentials, integrated into the Entrust Identity platform, provides for a wider range of strong authentication across a user’s access landscape reducing the reliance on weaker forms of authentication.

To learn more about Entrust-derived PIV credential issuance with YubiKeys, please contact us and attend our joint webinar “Strong Authentication for U.S. Government Employees” on July 28, 2021, at 11:00 a.m. EST (8:00 a.m. PST).

Share this article:

Recommended content


Zero Trust is the new regulatory minimum for Federal agencies: what does that mean for authentication?

The deadline is looming for federal agencies to implement impersonation-resistant multi-factor authentication (MFA), just one of the new stronger security requirements under President Biden’s new cybersecurity executive order (EO 14028). The EO puts security front and center to address some of the worst cyber attacks against the federal government, setting up new federal compliance expectations ...


Everything you need to know about the revised eIDAS regulation

In June 2021, the EU Commission announced its plans for a revised eIDAS regulation. eIDAS (electronic IDentification, Authentication and trust Services) is the EU regulation 910/2014 on electronic identification and trust services in the EU. It came into force in 2014, so the revision is a major update to eIDAS. The past two years the ...


Seven tips if you’re still scratching your head after reading Biden’s cybersecurity executive order

Yubico works with a lot of federal agencies and contractors, as well as with customers in regulated industries, so we understand the challenges new compliance regulations can bring. The executive order that was released May 12 can be seen as the federal government fully embracing the move toward multi-factor authentication (MFA) for use cases where ...


Yubico brings the YubiKey to the .NET ecosystem with its new desktop SDK

In continuation with our mission to bring strong authentication to the world, Yubico is excited to announce that integrating the YubiKey into your .NET application or workflow will now be easier than ever before. This is enabled with the introduction of the new YubiKey SDK for Desktop. With this Desktop SDK, you can now add ...