Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

5. Issue a Derived Credential

Three hexagons with the letters I, C, and A. The C is highlighted in green for Credential Management, with a green banner for the Maintenance service.

A derived credential is a credential derived from an existing credential, with a different form factor, such as a credential on a mobile device. Derived credentials have the same IAL as the existing credential and the same or lower AAL.

When an employee or contractor requires authentication but cannot leverage an existing credential, they can use a derived credential. To be eligible for a derived credential, the employee or contractor must already have a valid credential with Authenticator Assurance Level (AAL) 2 or 3.

Use Case

In this use case, an employee or contractor interacts with the agency services to register or request a derived credential.

Icon Key for the diagrams that follow.

1. Initiate the request
A diagram showing an employee or contractor initiating a derived credential request to an enterprise identity management system.
A request for identity data is initiated to the identity manager.

This identity manager could be a person or system, depending on the organization.
2. Authenticate the existing credential
A diagram showing an employee or contractor authenticating an existing credential to an enterprise identity management system.
The identity manager identifies relevant sources of data on the individual.

Sources could include HR systems, security data, and personal databases.
3. Generate the derived credential
A diagram showing an enterprise identity management system generating a derived credential for an employee or contracter.
Generate the derived authenticator and note the change in the user's enterprise identity record.


  • I want to provide an employee or contractor, who has already been issued an enterprise credential, a derived credential so that they can authenticate to enterprise applications.
  • An employee or contractor travels quite a bit as part of their job. Accordingly, they are frequently limited to using a small tablet or their phone to stay connected while on the go. In this case, a derived credential is needed for purposes such as accessing secure agency websites or an agency VPN from their mobile device.

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit Edit this page