A Credential is a claim (or set of claims) made by an entity about an Digital Identity.[1]

A Credential Holder makes a Claim that the password for a specific Digital Identity has a specific value. Or a Credential Holder may just supply that they Authenticated the Digital Identity to some specific Level Of Assurance

Authentication is the process of the Verification of a Credential

Credential may be as subtle as a Website associating an IP Address with a cookie. Although this Credential may have a very low Level Of Assurance, it is a method of Authentication and an Identification which separates this specific Entity from the Anonymity Set.

Credential is evidence of an entity’s claimed Identification.

Credential types#

Credentials come in many types, from physical papers, Identity Documents and cards (such as a passport or Payment Card) to electronic items (such as a password or digital certificate), and often incorporate anti-tamper features.

Within the United States federal government a Personal Identity Verification (PIV) is a credential.

Credential regardless what type, associate an identity with an entity (typically via an identifier) and identify the Organizational Entity that issued the Credential:

  • Your Driver License includes a license number, your name, and a state seal.
  • An Payment Card includes a card number, your name, and a corporate symbol.
  • A PIV credential contains a picture, the issuing agency logo, and cryptographic key pairs

Some Credential indicate authorizations granted to the entity by the issuing Organizational Entity. For example, a Driver License includes the authorization to drive a car.

Unlike identities, Credential generally expire. If an identity continues past the expiration date of the Credential, a new credential is issued:

  • Your Driver License expires after so many years and you receive a new one.
  • Your Payment Card expires after so many years and you receive a new one.
  • Your PIV credential expires after three to six years and you receive a new one.

A Credential that is lost or compromised before it expires may be revoked by the organization that issued it. Credentials can incorporate something you know (such as a password or PIN), something you have (such as a card), or something you are (such as a fingerprint or iris). Some credentials incorporate more than one option, and are referred to as two-factor or three-factor or multi-factor.

As with Identity Proofing, Credentials have different Level Of Assurance depending on the strength required. The Credential for accessing your bank account is likely stronger than the credential for accessing your health club.

Good Credential#

A good Credential must meet the following criteria:
  • easy to remember
  • easy to change
  • hard to guess
  • hard to intercept
then it's a good set of credentials.

Derived Credential[2]#

NIST has defined Derived credentials to refer to credentials that are derived from those in a Personal Identity Verification (PIV) card or Common Access Card (CAC) and carried in a Mobile Device instead of the card. A CAC card is a PIV card issued by the United States Department of Defense

We assume this would be similar to the adding of a Payment Card to a Digital Wallet.

NIST.SP.800-157 is titled "Guidelines for Derived Personal Identity Verification (PIV) Credentials".

The Electronic Authentication Guideline, NIST.SP.800-63, defines a derived credential more broadly as: A credential issued based on Proof-of-Possession and control of a claim associated with a previously issued credential, so as not to duplicate the Identity Proofing process.

Compromised Credential#

Compromised Credentials are any Credentials that the Owner is not in control of or that another entity has gained access to the credential

More Information#

There might be more information for this subject on one of the following: