In applications including network domains, you will associate the PIV credential with your accounts. This process is not unique to PIV credentials and usage; it is a general concept that occurs in many applications, including your personal email accounts, your bank accounts, or your favorite social media app.
Associating a credential with an account is called account linking.
Identifiers are the values in credentials that are used for account linking. We focus on the PIV Authentication certificate and identifiers in this section to help you understand the options and design and implement solutions for using PIV to authenticate to networks and applications. For more information on account linking, see Account Linking .
The table below outlines identifiers available in the PIV Authentication certificate and design considerations for implementations.
|Subject||Unique for every person within the same agency; value does not change when a user receives a new, replaced, or updated PIV credential within the same agency.|
|Issuer and Subject||Unique for every person; value does not change when a user receives a new, replaced, or updated PIV credential within the same agency.|
|Issuer and Serial Number||Unique for every person and certificate; value changes when a user receives a new, replaced, or updated PIV credential.|
|Subject Key Identifier||Unique for every person and certificate; value changes when a user receives a new, replaced, or updated PIV credential.|
|SHA-1 Hash of Public Key||Value changes when a user receives a new, replaced, or updated PIV credential; commonly referred to as the thumbprint of the certificate.|
|Federal Agency Smart Card Number (FASC-N)||It is not recommended to use the FASC-N as an identifier; unique for every credential only within the U.S. federal Executive Branch agencies; no uniqueness for PIV credentials issued by Legislative or Judicial Branch agencies, state, local, tribal, territories, partners, or any credentials certified as PIV-Interoperable or PIV-I; value changes when a user receives a new, replaced, or updated PIV credential; legacy definition and usage supported building access control systems as outlined in Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems) (PDF, 2005).|
|Card Universal Unique Identifier (UUID)||Unique for every person and credential; value changes when a user receives a new, replaced, or updated PIV credential; Card UUID value is only required to be present for new or replacement PIV credentials issued after August 2014; may also commonly be referred to as the Global Unique Identifier (GUID).|
|User Principal Name in Subject Alternate Name||Not required to be included in all PIV Authentication certificates; not recommended for use as an identifier to achieve full interoperability for networks or applications; commonly used for enterprise smart card logon / network authentication in legacy implementations.|
For all items referencing an agency in the table, you should consider the reference as the small organizational unit. For example, a user who switches between one component in a large agency to another component may receive a new Subject Name when the user requires a replacement PIV credential.
Organization Specific Identifiers
Multiple departments and agencies leverage a persistent, internal unique identifier. For example, the Department of Defense uses a unique 10-digit identifier called the Electronic Data Interchange Personal Identifier or EDIPI. The Department of Homeland Security and the Department of Health and Human Services leverage a similar persistent lifetime identifier for their identities. Note that these identifiers are unique within the systems that generate them. There is a risk of collision when leveraging these identifiers in external systems.