What is a Derived Credential Anyway?

What is a derived credential anyway?

You may have heard that Centrify announced support for “derived credentials,” in conjunction with its smart card offering. If you aren’t in the federal or ultra-secure enterprise space, you’ve probably never heard of derived credentials. So what’s so special about it?

smartcard2Users that are issued smart cards as their primary means of authentication have to physically insert a card into a reader on their desktop/laptop and then enter a PIN. This form of authentication replaces the username and password, and also covers the 2-factor requirement as well. (The card is something you have, and the PIN something you know.) This method of authentication is also how many government and military users access applications and websites crucial to their day-to-day activities and duties.

This works great if all you are using is a computer with a reader attached — but what about mobile devices?

Traditional approaches to this problem required an external smart card reader that was either connected via USB or Bluetooth. no_cardreadersThey did technically work, but the experience was poor, expensive, and not exactly mobile either.

The federal government knew that they needed to support mobile devices while continuing to require the security needs already established, so they worked on creating a standard for basically making smart cards portable. This is contained in documents like NIST SP 800-157 and FIPS 201-2, among others. What it really boils down to is — “How do you get smart card authentication on a mobile device?”  The solution is elegant — rather than use the physical card, use instead just the cryptographic credential.  Using the credential means you can store it on the card, or in a secure area on a mobile device (such as in a TEE or secure element).

Centrify is in a unique position to solve this issue, as we are both an identity provider and an EMM. Combining those powerful platform capabilities with the ability to utilize PKI certificates for authentication, makes issuing derived credentials a logical next step.

The way this works is simple. A typical flow for issuing a derived credential goes something like this:

  1. The user enrolls a mobile device (a special One-Time-PIN enrollment is used, because remember…they don’t have a password).
  2. The user logs into the Centrify user portal with their smart card and PIN.
  3. The user can then select the mobile device to which they wish to issue the derived credential, and selects “Request Derived Credential Issuance.”
  4. The necessary credential certificates are delivered to the device.
  5. Now the user can access PIV/CAC protected sites on their mobile device just like they can from their desktop.

This is a big deal for users of smart cards, since it opens up the whole world of mobile devices.  Users are no longer tied to their laptops and desktops for secure access.  For highly secure enterprises, and government/military entities, this marks the beginning of a more mobile, secure workforce.

And just because someone will ask… this works on both iOS and Android devices. See here:

For a demo of derived credentials, find Centrify at Mobile World Congress, or at the RSA Conference at booth #S2027.