Be the first to hear the mobile news. Enter your email to join.

Derived Credentials: What You Need to Know

I’ve been reading a lot recently on passwords. Are they dead? What new technology will replace passwords? Internally, we have been debating biometrics and its place in the enterprise. Someone even questioned if VMware owns my fingerprint once I store it on a company-issued phone. (For the record, no—but I still use my pinky, just in case.) Today, access control and mobile security are the major challenges facing IT, especially as the workforce becomes more and more heterogeneous.

With so many different devices, operating systems and apps trying to access corporate data and information, IT is rethinking and re-architecting the way they facilitate and secure this access. One of the ways picking up steam is derived credentials:

  • Derived credentials free end users from complex password requirements.
  • They increase the security around mobile devices.
  • They provide a stronger security posture for your environment.

[Related: The 5 Next Big Things in Mobile Security]

What Are Derived Credentials?

A quick Google search of “derived credentials” will lead you to NIST Special Publication (SP) 800-157. Here’s what derived credentials mean to businesses and agencies in a (hopefully) simpler way.

mobile-security-airwatch-emmMany of us have ID badges for work. Most of these allow us to enter a building or open an office door. Some companies and all public-sector agencies are required to use these cards to authenticate a user on a computer or network, as well.

In a public sector environment, employees use personal identity verification (PIV) or common access cards (CAC). In the private sector, they are generically known as smart cards. To access the computer, you use your card instead of a password. The card has multiple client certificates, one of which is used for authenticating to the network and/or back-end systems. For mobile devices, however, this is easier said than done.

iOS and Android users originally had to use third-party smart card readers that were either cases/sleeves or required a special Bluetooth adapter. This made using mobile devices for work more expensive and cumbersome. To solve this problem, NIST created the guidelines for deriving PIV credentials for mobile, which are commonly referred to as derived credentials or PIV-D. These credentials are derived after an end user proves their identity using their existing CAC or PIV card, eliminating the need for a special reader or case to authenticate the identity of the user.

Why Does My Business Need Derived Credentials?

Derived credentials improve the authentication process, while providing a very simple end-user experience. The end user is not forced to remember complex and difficult passcodes, which reduces help desk calls and increases productivity for workers and IT.

As Eugene Liderman points out, derived credentials:

“Enable more efficient and effective authentication, while helping to ensure confidentiality, security and integrity of mobile device information access.”

We need derived credentials to drive the complexity out of the end user’s environment. We also need derived credentials to ensure that our data is safer and more secure.

How Do I Set Up Derived Credentials with VMware AirWatch?

The process for setting up and using derived credentials with AirWatch is straight forward. In fact, we believe that the AirWatch derived credential process is one of the simplest processes for the end user in the industry.

After IT configures the necessary infrastructure components, the end user can get up and running in three easy steps:

1. IT admin or the end user generates a secure enrollment token.

2. User completes device enrollment using the secure enrollment token.

3. User authenticates to the AirWatch Self-Service Portal using their CAC/PIV and requests a derived credential.

After completion of step three, the user will have a derived credential on their device, configured to be used for authentication into email, WiFi, VPN and/or various third-party applications connected to back-end systems.

How Do Derived Credentials Fit into AirWatch’s Mobile Security Offering?

Derived credentials are one part of the complete mobile security solution that AirWatch provides. The complete AirWatch Mobile Security portfolio includes solutions for:

  • Trusting the user;
  • Managing the endpoint;
  • Securing the applications;
  • Safeguarding the data; and
  • Protecting the network.

To learn more about the complete AirWatch Mobile Security portfolio, please click here.

Because you liked this blog:

John Britton

John Britton

John Britton is the former director of product marketing for security at VMware End-User Computing (EUC).


  1. Pingback: VMWare Brings Derived Credentials to Mobility Space

Leave a Reply

Your email address will not be published. Required fields are marked *


Blog By Region

Blog By Category: