Overview#

Derived Credential, generically, is a credential (or a Ticket or token) that was derived based on the claims or other credentials of the Credential Holder which are issued to permit access to a particular Protected Resource.

Derived Credential defined by NIST as used with PIV can be issued to any PIV Credential Holder, regardless of the original Credential Service Provider or a third-party issuer, either on-premises or via a managed service.

The Electronic Authentication Guideline, NIST.SP.800-63, defines a derived credential more broadly as: A credential issued based on Proof-of-Possession and control of a claim associated with a previously issued credential, so as not to duplicate the Identity Proofing process.

This would be similar to the adding of a Payment Card to a Digital Wallet so the representation within the Digital Wallet is a Derived Credential from the Payment Card.

WebAuthN and Windows Hello both issue Derived Credentials based on the claims presented from the device or Trusted Platform Module.

In Public Key Infrastructure (PKI) a certificate is a Derived Credential issued from the Certificate Issuer based on the claims made.

More Information#

There might be more information for this subject on one of the following:

• Credential
• Proof of Control

---

• [#1] - Protecting Derived Credentials without Secure Hardware in Mobile Devices - based on information observed on 2014-04-02
• [#2] - Guidelines for Derived Personal Identity Verification (PIV) Credentials - based on information obtained 2014-12-30