Skip main navigation

Derived Credentials

In this video, you will learn about derived credentials, a strong type of authentication for mobile devices.
The other benefit of smartphones we see very much in use at the moment is a derived group, derived credentials. So this is presented under NIST special publication 800-157 and also under the FIPS standard 201-2. And what we’re talking about here is, instead of the traditional approach to multi-factor authentication, where we use hard tokens these work– these function, but are generally more expensive and generally less flexible. To log into our desktop, for example, we need a smart card reader, perhaps, if we’re using smart cards as our token, and we have to have a pin, and also then our username and password. So this can be less flexible.
And also, we need to make sure any computers that that user is accessing have that smart card reader. So this isn’t a very good mobile solution. Smart card readers don’t typically occur within highly portable devices. And, again, we have the added cost. So the federal government in America recognised that they wanted to support mobile devices, they had to support mobile devices, whether these were corporate or bring your own device. And the use of bring your own device type mobiles depends on your risk profile. But this actually allows us to register a mobile device to become a token in its own right. So this is a pretty smart thing to do.
People have their smart phones with them nearly all the time, and we have a very, very high level of usage of mobile devices. So this doesn’t require a brand new infrastructure; these are typically things we have in place already. And what we’re doing is we’re using the device to store the approved credential on the phone in a secure area. So most mobile devices, Samsung, iOS devices, Apple devices, have hardware security modules that you can store credentials in. So using the credential means that you can store it on the device and access it when you need. The device in turn, we then need to rely on that device being secure.
So if somebody wants to access their banking application, we see this kind of derived credential in use. The banking app is enrolled through various steps, and an access token is left on the device. And then when you try to access the banking app, it may be protected by a PIN number, something easier to log in with. It may be protected by a biometric check. Equally, we see these derived credentials in use for soft tokens. Most big providers, Microsoft, Amazon, Apple, all offer this kind of approach.
So this means if we’re looking to use this, and it is a very popular choice for the reasons we’ve described, device enrollment and device management becomes crucial. Any problems around the device platform can undermine the entire process. So we need to make sure that our Android devices are not rooted, ideally, and the iOS devices are not jailbroken. And if we’re using bring your own device, that we understand the security posture of those devices that we are allowing to be used for derived credentials. And for bring your own device, it doesn’t rule out the use of derived credentials. You will see this frequently used by companies like Microsoft by banks as part of their process.
But it’s an interesting shift in the way we’re working.

In this video, you will learn about derived credentials, a strong type of authentication for mobile devices.

Once you have viewed the video, read the recap below:

  • derived credentials come from the NIST SP 800-157 Guidelines for Derived Personal Identity Verification
  • the process allows an individual to use their mobile as a hard token in multi-factor authentication
  • the use of this will depend on the organization’s risk profile

Reflect and share: What are some of the potential barriers derived credentials pose? What can be done to address them?

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now