Derived Credentials

Date: 2022-08-31
Author: Anders Adolfsson, Product Manager

Derived Credentials

Over the last year we’ve had multiple customer requests for derived credentials:

  • Large enterprises or governments already established with high-security technology, using certificate-based authentication, such as CAC and PIV
  • Organizations want to incorporate technology offered by newer / hardware tokens
  • Enterprises moving away from passwords, embracing “passwordless”
  • Ensuring 2FA across all steps in the identity authentication process

But what is a derived credential?

A derived credential is a new credential issued to a user after the user has proven their identity by using their existing credential.

Derived Credentials - definition

A common driving force behind the derived credential is that the new host body of the credential typically offers an additional layer of security or another feature that the original credential does not. The new derived credential may authenticate into more services than the traditional PIV card. Additionally, it may also provide a “touch,” a biometric reader feature which adds another factor to the multi-factor authentication, strengthening security.

Another interesting aspect is that even with derived credentials, the enrollment of credentials can require authorization with username and password. However, it is possible to authenticate this process with a certificate of an existing smartcard (PIV, CAC or similar) credential. The latter avoids the use of usernames and passwords, which are historically vulnerable, and is replaced by strong 2-factor authentication (2FA). The physical smartcard as a first factor (something the employee has) and a PIN as the second factor (something the employee knows).

Benefits of Derived Credentials

With derived credentials, organizations can enroll any type of credential, hardware-based PKI, virtual, FIDO registered, and access control with strong 2FA. Organizations can choose a modern passwordless path to enrollment of additional credentials, without sacrificing security. They can align the process of their existing credential management and achieve consistency in every step.

Furthermore, derived credentials can assist in migrations to modern credential management systems or to new hardware. Existing active credentials can be used for self-service enrollment of new credentials while also migrating to vSEC:CMS. This makes for a very smooth migration with no interruption for the end users

vSEC:CMS Managed Derived Credentials

With Versasec’s award-winning vSEC:CMS credential management system, organizations can manage derived credentials and utilize them to their fullest potential. Not just for authentication, but for enjoying the benefits of cryptographic operations, such as remote work, encrypted email, and document signing. With new credentials, organizations can enjoy modern multi-factor authentication and engage in new technology including FIDO, biometric security, and so much more. User self-service application allows users to enroll individually after administrators have already put in place appropriate workflows for security protocols and guidelines to be followed when enrolling new credentials.

Video Demonstration of a Derived Credential

In the following video, we will walk through:

  • Self issuance of a derived credential to a PIV credential
  • Authentication through Azure IdP
  • Demonstrating signing into Microsoft Office 365

Request a Demo

See if vSEC:CMS or vSEC:CLOUD is for you. Request a demo, we are here to help you navigate to modern authentication that best serves your organization.


Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

Share this article