Skip main navigation

Derived Credentials

In this video, you will learn about derived credentials, a strong type of authentication for mobile devices.
The other benefit of smartphones we see very much in use at the moment is a derived group, derived credentials. So this is presented under NIST special publication 800-157 and also under the FIPS standard 201-2. And what we’re talking about here is, instead of the traditional approach to multi-factor authentication, where we use hard tokens these work– these function, but are generally more expensive and generally less flexible. To log into our desktop, for example, we need a smart card reader, perhaps, if we’re using smart cards as our token, and we have to have a pin, and also then our username and password. So this can be less flexible.
And also, we need to make sure any computers that that user is accessing have that smart card reader. So this isn’t a very good mobile solution. Smart card readers don’t typically occur within highly portable devices. And, again, we have the added cost. So the federal government in America recognised that they wanted to support mobile devices, they had to support mobile devices, whether these were corporate or bring your own device. And the use of bring your own device type mobiles depends on your risk profile. But this actually allows us to register a mobile device to become a token in its own right. So this is a pretty smart thing to do.
People have their smart phones with them nearly all the time, and we have a very, very high level of usage of mobile devices. So this doesn’t require a brand new infrastructure; these are typically things we have in place already. And what we’re doing is we’re using the device to store the approved credential on the phone in a secure area. So most mobile devices, Samsung, iOS devices, Apple devices, have hardware security modules that you can store credentials in. So using the credential means that you can store it on the device and access it when you need. The device in turn, we then need to rely on that device being secure.
So if somebody wants to access their banking application, we see this kind of derived credential in use. The banking app is enrolled through various steps, and an access token is left on the device. And then when you try to access the banking app, it may be protected by a PIN number, something easier to log in with. It may be protected by a biometric check. Equally, we see these derived credentials in use for soft tokens. Most big providers, Microsoft, Amazon, Apple, all offer this kind of approach.
So this means if we’re looking to use this, and it is a very popular choice for the reasons we’ve described, device enrollment and device management becomes crucial. Any problems around the device platform can undermine the entire process. So we need to make sure that our Android devices are not rooted, ideally, and the iOS devices are not jailbroken. And if we’re using bring your own device, that we understand the security posture of those devices that we are allowing to be used for derived credentials. And for bring your own device, it doesn’t rule out the use of derived credentials. You will see this frequently used by companies like Microsoft by banks as part of their process.
But it’s an interesting shift in the way we’re working.

In this video, you will learn about derived credentials, a strong type of authentication for mobile devices.

Once you have viewed the video, read the recap below:

  • derived credentials come from the NIST SP 800-157 Guidelines for Derived Personal Identity Verification
  • the process allows an individual to use their mobile as a hard token in multi-factor authentication
  • the use of this will depend on the organization’s risk profile

Reflect and share: What are some of the potential barriers derived credentials pose? What can be done to address them?

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education