Overview#

A Credential is a claim (or set of claims) made by an entity about an Digital Identity.[1]

A Credential Holder makes a Claim that the password for a specific Digital Identity has a specific value. Or a Credential Holder may just supply that they Authenticated the Digital Identity to some specific Level Of Assurance

Authentication is the process of the Verification of a Credential

Credential may be as subtle as a Website associating an IP Address with a cookie. Although this Credential may have a very low Level Of Assurance, it is a method of Authentication and an Identification which separates this specific Entity from the Anonymity Set.

Credential is evidence of an entity’s claimed Identification.

Credential types#

Credentials come in many types, from physical papers, Identity Documents and cards (such as a passport or Payment Card) to electronic items (such as a password or digital certificate), and often incorporate anti-tamper features.

Within the United States federal government a Personal Identity Verification (PIV) is a credential.

Credential regardless what type, associate an identity with an entity (typically via an identifier) and identify the Organizational Entity that issued the Credential:

• Your Driver License includes a license number, your name, and a state seal.
• An Payment Card includes a card number, your name, and a corporate symbol.
• A PIV credential contains a picture, the issuing agency logo, and cryptographic key pairs

Some Credential indicate authorizations granted to the entity by the issuing Organizational Entity. For example, a Driver License includes the authorization to drive a car.

Unlike identities, Credential generally expire. If an identity continues past the expiration date of the Credential, a new credential is issued:

• Your Driver License expires after so many years and you receive a new one.
• Your Payment Card expires after so many years and you receive a new one.
• Your PIV credential expires after three to six years and you receive a new one.

A Credential that is lost or compromised before it expires may be revoked by the organization that issued it. Credentials can incorporate something you know (such as a password or PIN), something you have (such as a card), or something you are (such as a fingerprint or iris). Some credentials incorporate more than one option, and are referred to as two-factor or three-factor or multi-factor.

As with Identity Proofing, Credentials have different Level Of Assurance depending on the strength required. The Credential for accessing your bank account is likely stronger than the credential for accessing your health club.

Good Credential#

A good Credential must meet the following criteria:

• easy to remember
• easy to change
• hard to guess
• hard to intercept

then it's a good set of credentials.

Derived Credential[2]#

NIST has defined Derived credentials to refer to credentials that are derived from those in a Personal Identity Verification (PIV) card or Common Access Card (CAC) and carried in a Mobile Device instead of the card. A CAC card is a PIV card issued by the United States Department of Defense

We assume this would be similar to the adding of a Payment Card to a Digital Wallet.

NIST.SP.800-157 is titled "Guidelines for Derived Personal Identity Verification (PIV) Credentials".

The Electronic Authentication Guideline, NIST.SP.800-63, defines a derived credential more broadly as: A credential issued based on Proof-of-Possession and control of a claim associated with a previously issued credential, so as not to duplicate the Identity Proofing process.

Compromised Credential#

Compromised Credentials are any Credentials that the Owner is not in control of or that another entity has gained access to the credential

More Information#

There might be more information for this subject on one of the following:

• AD Password Filters
• API Service Delivery
• AS Exchange
• AS_REP
• AWS IAM
• Access Control Engine
• Access Proxy
• Access Token
• Active Directory Account Lockout
• Anonymous Credential
• Attestation
• Authentication
• Authentication Challenges
• Authentication Context Class Values
• Authentication cookie
• Authenticator
• Authorization Code
• Authorization Header
• Authorization_endpoint
• Basic Authentication Scheme
• Behavioral analytics
• Best Practices for LDAP Security
• Binding
• Biometric Data Challenges
• Blockcerts
• CSO
• Cached and Stored Credentials
• CachedInteractive
• Certificate
• Certificate Request Process
• Challenge-Handshake Authentication Protocol
• Channel Binding
• Claimant
• Closed-Loop Authentication
• Common Access Card
• Common Active Directory Bind Errors
• Common Edirectory Bind Errors
• Compromised Credential
• Consistent Sign-On
• Cookie
• CredSSP
• Credential
• Credential Holder
• Credential Issuance
• Credential Leakage
• Credential Leaked Databases
• Credential Management
• Credential Management API
• Credential Mapping
• Credential Recovery
• Credential Repository
• Credential Reset
• Credential Reuse
• Credential Revocation
• Credential Service Provider
• Credential Suspension
• Credential Vault
• Credential stuffing
• CredentialManagementStore
• Cross-site request forgery
• Cryptocurrency wallet
• Data Classification
• Data Leakage
• Data Protection
• Delegation vs Impersonation
• Derived Credential
• Direct Anonymous Attestation
• Domain Administrative Accounts
• Electronic Identity Credential
• Embedded user-agent
• Enterprise Directory
• Extended Protection for Authentication
• FIDO2
• Fast IDentity Online
• Federated Authentication
• Federated Credential
• Federated Identity
• Federation
• G-Suite User
• Golden Ticket
• HTTP 407
• HTTP Authentication Framework
• Have I been pwned
• Holder
• Host Card Emulation
• Human-palatable
• IAM Charter
• ID Key
• IDSA Integration Framework
• INTERDOMAIN_TRUST_ACCOUNT
• Identifier registry
• Identify and Authenticate access to system components
• Identity Credential and Access Management
• Implicit Flow
• Implicit Grant
• Interactive
• Invalid_grant
• JSON-LD Examples
• JWT Authentication
• Kerberos
• Kerberos Authentication Service
• Kerberos Delegation
• Kerberos Forged Ticket
• LCM
• LDAP Result Codes
• Level Of Assurance
• Local Security Authority Subsystem Service
• M-04-04 Level of Assurance (LOA)
• Macaroons
• Main
• Mallory
• Mix-up attacks
• Multi-Source Identity
• NDS Authentication
• NDS Connection States
• NFC
• NIST.IR 7817
• NIST.SP.800-157
• NIST.SP.800-63B
• Native application
• Netlogon service
• NetworkCleartext
• NewCredentials
• Non-interactive
• OAuth 2.0 Dynamic Client Registration Management Protocol
• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
• OAuth 2.0 Security Best Current Practice
• OAuth 2.0 Token Revocation
• OAuth 2.0 Use Cases
• OAuth 2.0 Vulnerabilities
• OAuth 2.0 for Native Apps
• OAuth Confidential Client
• OAuth Parameters Registry
• OctetString
• Open-Loop Authentication
• OpenID Connect Federation
• Pass-the-ticket
• Password
• Password Authentication
• Password Authentication is Broken
• Password Dictionary
• Password Reuse
• Passwordless SMS Authentication
• Phishing
• Primary Refresh Token
• Proof of Control
• Prover
• Public Key Credential
• Public Key Infrastructure Weaknesses
• Refresh Token
• Registration
• Remote Authentication Dial-In User Service
• Reputation System
• Resource Owner Password Credentials Grant
• Revocation Request
• Rich Credential
• SASL EXTERNAL
• SECURITY_IMPERSONATION_LEVEL
• SFSafariViewController
• Security Support Provider
• Security Token Service
• Service Account
• Session Management
• Shared Secret
• Simple Authentication
• Single Logout
• Single Sign-On Scenarios
• Social Login
• Sovrin
• State Pointer Exchange Services
• Token Revocation
• Trust Tier
• U-Prove
• Universal Authentication Framework
• Unvalidated redirects and forwards
• Vectors of Trust
• Verifiable Claims
• Verifiable Credentials
• Verifier
• Verizon Data Breach Investigations Report
• Virtual Authenticator
• W3C Credential Management API
• WWW-Authenticate
• Web Authentication API
• WebAuthN
• WebAuthn Attestation
• WebAuthn Authentication
• WebAuthn Authenticator
• WebAuthn Extension Identifiers
• WebAuthn Registration
• Which Jane Doe
• Why Access Tokens
• Why OpenID Connect
• Windows Authentication Package
• Windows Client Authentication Architecture
• Windows Credential Provider
• Windows Hello
• Windows Logon Types
• Windows.Security.Credentials.UI
• XDAS Account Management
• Yubico
• Yubikey NEO

---

• [#1] - Identity Credentials 1.0 - based on information obtained 2017-10-15-
• [#2] - Protecting Derived Credentials without Secure Hardware in Mobile Devices - based on information observed on 2014-04-02