- A set of data presented as evidence of a claimed digital identifier or set of attributes.
- A set of data held by the user that allows presentation of evidence of a claimed digital identifier or set of attributes.
A certificate associated with a credential can establish a level of confidence in the attributes used in the identity claim as well as the security of the credential.
The security of some credentials, as defined in 1 above, like passwords, are not generally secure. The security of credentials that are not directly passed, as defined in 2 above, can be made arbitrarily secure.
Previous proposed definitions include:
- Attribute(s) presented as evidence of a claimed identity. (Taxonomy AHG)
- An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. (NIST 800-63)
- Some form of token presented to facilitate identification and authentication. (Wallace)
- Verified attributes presented as evidence of a claimed identity.(Faron)
- Evidence of possession of an attribute by an entity, provided during identity proofing and similar processes.(Fenton)
- Something that is verifiable and is presented as evidence of a claimed identity and/or entitlement.(Corwin)
- A credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so. (Wikipedia)
- A credential needs to be an unique property of an individual that cannot be transferred. (Tom Jones)
Open question: Is binding necessary, or preferred?
NIST 800-63: An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. While common usage often assumes that the credential is maintained by the Subscriber, this document also uses the term to refer to electronic records maintained by the CSP which establish a binding between the Subscriber’s token and identity.
From a developer’s perspective, a credential is an object which allows a developer to make an authentication decision for a particular action. Various types of credentials are used or presented by the User Agent. A credential is effective for a particular site if it is accepted as authentication on that site. Even if a credential is effective at a particular point in time, the User Agent can’t assume that the same credential will be effective at any future time, for a couple reasons:
- A password credential may stop being effective if the account holder changes their password.
- A credential made from a token received over SMS is likely to only be effective for a single use.
Single-use credentials are generated by a credential source, which could be a private key, access to a federated account, the ability to receive SMS messages at a particular phone number, or something else. Credential sources are not exposed by the User Agent. To unify the model, we consider a password to be a credential source on its own, which is simply copied to create password credentials.