The IT Law Wiki



Credentials are

objects that are verified when presented to the verifier in an authentication transaction. Credentials may be associated with the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization.[1]

A credential is

[a]n information object created by a credential provider that provides evidence of the subject’s authority, roles, rights, privileges, and other attributes. The credential is normally bound to an acceptable identity medium.[2]
an object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a subscriber.[3]
[i]nformation passed from one entity to another to establish the sender's access rights or to establish the claimed identity of a security subjective relative to a given security domain.[4]
[a] record that contains the authentication information (credentials) required to connect to a resource. Most credentials contain a user name and password.[5]


  1. Who Goes There?: Authentication Through the Lens of Privacy, App. C, at 210.
  2. The White House, (Draft) National Strategy for Trusted Identities in Cyberspace: Creating Options for Enhanced Online Security and Privacy 32 (June 25, 2010) (full-text).
  3. NIST Special Publication 800-63-2.
  4. Cybersecurity A Primer for State Utility Regulators, App. B.
  5. Smartex: IoT Glossary of Terms and Standards (full-text).

See also[]