Identification and authentication are crucial components in confirming a digital identity, making them a key pillar within every Identity & Access Management (IAM) process. No IAM process can operate without one or multiple credentials or authentication factors, now a familiar part of our daily lives. But what exactly is a credential? And what types of credentials are there? Let us explain.

What is a credential?

The definition of a credential? A credential is a piece of information used to verify the identity of a user, device or system. In everyday life, you might think of a diploma or certificate that proves you have completed a certain course of study, possess certain skills and competencies, or are qualified for a specific type of work. A valid travel document or vaccination certificate can also be seen as a credential to enter a certain country.

In a digital IAM context, a credential plays the same role. It is a way for the user to authenticate themselves and gain access to an application, service or online environment. Such a credential is usually issued by a third party or the owner of a service or platform. Based on one or more credentials, it is possible to validate the digital identity of a user.

How does it work?

Credentials are used for authentication. They assist in validating whether a user, application or device is indeed who or what they claim to be. You therefore check whether the given digital identity corresponds to the authenticity characteristics and data that are known to your system.

When calling APIs for remote services, you usually also need to provide credentials to authenticate yourself or the application. For example, do you have an app on your phone that needs access to files stored in Google Drive? Then you will need credentials that identify the app as authorised to use this service.

What types of credentials are there?

Credentials are therefore an essential part of any identity & access management system, as they allow users the ability to authenticate themselves and access the resources for which they have permission. There are various credentials you can use in an IAM process. We will outline the most important ones:

  • Password: The most common type is a password, a simple and widely used method to authenticate users. The password can be a secret value of letters, numbers and characters linked to your digital identity, but it can also be a one-time password (OTP). A one-time password is suitable for single use within a limited time period. The system compares the provided password with a trusted information source, such as a database of authorised users, to verify the user’s identity.
  • Security tokens: This type of credential can be both a physical or digital object used to verify a user’s identity. Examples include a smartcard, a key fob, a FIDO2 key or a mobile phone with a special authentication app. The security token is linked to the system or application. It then displays a unique one-time code that needs to be entered, or it automatically passes this information to the system. This can provide an additional layer of security, as the user must have the token in their possession in order to authenticate themselves.
  • Biometric data: This is another type of credential that is becoming increasingly common in identity and access management systems. It involves the unique physical characteristics of a person, such as a fingerprint, an iris pattern or facial features. Many modern smartphones now come with technology for scanning biometric data. The data is then compared via specialised software with a trusted information source. This can provide a high degree of security, as biometric data is difficult to forge or replicate.