This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.

Edit this page

5. Issue a Derived Credential

Three hexagons with the letters I, C, and A. The C is highlighted in green for Credential Management, with a green banner for the Maintenance service.

A derived credential is a credential derived from an existing credential, with a different form factor (like on a mobile device). Derived credentials have the same IAL as the existing credential, and the same or lower AAL.

When an employee or contractor requires authentication, but cannot leverage an existing credential, they can use a derived credential. To be eligible for a derived credential, the employee or contractor must already have a valid credential with Authenticator Assurance Level (AAL) 2 or 3.

Use Case

In this use case, an employee or contractor interacts with the agency services to register or request a derived credential.

Icon Key for the diagrams that follow.

1. Initiate the request
A diagram showing an employee or contractor initiating a derived credential request to an enterprise identity management system.
A request for identity data is initiated to the identity manager.

This identity manager could be a person or system, depending on the organization.
2. Authenticate the existing credential
A diagram showing an employee or contractor authenticating an existing credential to an enterprise identity management system.
The identity manager identifies relevant sources of data on the individual.

Sources could include HR systems, security data, and personal databases.
3. Generate the derived credential
A diagram showing an enterprise identity management system generating a derived credential for an employee or contracter.
Aggregate identity data to create a complete identity profile.


  • I want to provide an employee or contractor, who has already been issued an enterprise credential, a derived credential so that they can authenticate to enterprise applications.
  • An employee or contractor travels quite a bit as part of their job. Accordingly, they are frequently limited to using a small tablet or their phone to stay connected while on the go. In this case, a derived credential is needed for purposes such as accessing secure agency websites or an agency VPN from their mobile device.

Next Steps

Assign access entitlements and manage the credential.