Credential Management is how an agency issues, manages, and revokes credentials bound to enterprise identities.
A credential is a data structure that authoritatively binds an authenticator to an existing identity using one or more identifiers.
The following are types of authenticators:
- Something you know, like a password or PIN.
- Something you have, like a private key or One-Time Password (OTP) generator.
- Something you are, like a fingerprint or iris.
The Authenticator Assurance Level (AAL) determines the authenticators associated with a credential. Federal government-wide policy requires a minimum Authenticator Assurance Level 2 for employees and contractors.
The following are some examples of credentials:
- You might use an agency-issued smart card, such as a PIV or CAC, that includes a picture and cryptographic key pairs to assert your identity at a federal facility.
- You might use a combination of credentials, like a username/password with an OTP generated by a mobile application, to assert your identity to a federal web application.
Unlike identities, credentials can expire. If an enterprise identity continues past a credential’s expiration date, the issuing agency can issue a new credential.
Credential Management Services
The Credential Management services in the FICAM architecture include Sponsorship, Registration, Generation & Issuance, Maintenance, and Revocation.
Formally establish that a person or entity requires a credential.
Keywords: Sponsor, Authorizing Official, Affiliation, Request
Collect the information needed from a person or entity to issue them a credential.
Generation & Issuance
Assign a credential to a person or entity.
Keywords: Activation, Token, Authenticator
Maintain a credential throughout its lifecycle.
Keywords: Renewal, Reset, Suspension, Reissuance
Revoke a credential from a person or entity, or deactivate an authenticator.