This article needs additional citations for verification .(December 2006) |
A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so.
Examples of credentials include academic diplomas, academic degrees, certifications, security clearances, identification documents, badges, passwords, user names, keys, powers of attorney, and so on. Sometimes publications, such as scientific papers or books, may be viewed as similar to credentials by some people, especially if the publication was peer reviewed or made in a well-known journal or reputable publisher.
A person holding a credential is usually given documentation or secret knowledge (e.g., a password or key) as proof of the credential. Sometimes this proof (or a copy of it) is held by a third, trusted party. While in some cases a credential may be as simple as a paper membership card, in other cases, such as diplomas, it involves the presentation of letters directly from the issuer of the credential its faith in the person representing them in a negotiation or meeting.
Counterfeiting of credentials is a constant and serious problem, irrespective of the type of credential. A great deal of effort goes into finding methods to reduce or prevent counterfeiting. In general, the greater the perceived value of the credential, the greater the problem with counterfeiting and the greater the lengths to which the issuer of the credential must go to prevent fraud.
In diplomacy, credentials, also known as a letter of credence, are documents that ambassadors, diplomatic ministers, plenipotentiaries, and chargés d'affaires provide to the government to which they are accredited, for the purpose, chiefly, of communicating to the latter the envoy's diplomatic rank. It also contains a request that full credence be accorded to his official statements. Until his credentials have been presented and found in proper order, an envoy receives no official recognition. [1]
The credentials of an ambassador or minister plenipotentiary are signed by the head of state, those of a chargé d'affaires by the foreign minister. [1] Diplomatic credentials are granted and withdrawn at the pleasure of the issuing authority, based on widely varying criteria. A receiving government may reject a diplomat’s credentials by declining to receive them, but in practice this rarely happens.
In medicine, the process of credentialing is a detailed review of all permissions granted a medical doctor, physician assistant or nurse practitioner at every institution at which he or she has worked in the past, to determine a risk profile for them at a new institution. It vets the practitioner for both receiving practice insurance and the ability to bill to insurance for patient care. As well, it certifies legal and administrative body requirements, such as the Joint Commission.
Medical practitioners must also have credentials in the form of licenses issued by the government of the jurisdictions in which they practice, which they obtain after suitable education, training, and/or practical experience. Most medical credentials are granted for a practice specific group. They may also be withdrawn in the event of fraud or malpractice by their holders. Typically they require continuing education validation and renewal to continue practice.
Information systems commonly use credentials to control access to information or other resources. The classic combination of a user's account number or name and a secret password is a widely used example of IT credentials. An increasing number of information systems use other forms of documentation of credentials, such as biometrics (fingerprints, voice recognition, retinal scans), X.509, public key certificates, and so on.
Credentials in cryptography establish the identity of a party to communication. Usually they take the form of machine-readable cryptographic keys and/or passwords. Cryptographic credentials may be self-issued, or issued by a trusted third party; in many cases the only criterion for issuance is unambiguous association of the credential with a specific, real individual or other entity. Cryptographic credentials are often designed to expire after a certain period, although this is not mandatory. An X.509 public key certificate is an example of a cryptographic credential.
Operators of vehicles such as automobiles, boats, and aircraft must have credentials in the form of government-issued licenses in many jurisdictions. Often the documentation of the license consists of a simple card or certificate that the operator keeps on his person while operating the vehicle, backed up by an archival record of the license at some central location. Licenses are granted to operators after a period of successful training and/or examination.
This type of credential often requires certification of good health and may also require psychological evaluations and screening for substance abuse.
Operator licenses often expire periodically and must be renewed at intervals. Renewal may simply be a formality, or it may require a new round of examinations and training.
In military and government organizations, and some private organizations, a system of compartmentalizing information exists to prevent the uncontrolled dissemination of information considered to be sensitive or confidential. Persons with a legitimate need to have access to such information are issued security clearances, which can be tracked and verified to ensure that no unauthorized persons gain access to protected information.
Security clearances are among the most carefully guarded credentials. Often they are granted to individuals only after a lengthy investigation and only after their need to have access to protected information has been adequately justified to the issuing authority. The most elaborate security-clearance systems are found in the world's military organizations. Some credentials of this type are considered so sensitive that their holders are not even permitted to acknowledge that they have them (except to authorized parties). Documentation of security clearances usually consists of records kept at a secure facility and verifiable on demand from authorized parties.
Breaches of security involving security clearances are often punished by specific statutory law, particularly if they occur in the context of deliberate espionage, whereas most other counterfeiting and misuse of credentials is punished by law only when used with deliberate intent to defraud in specific contexts. Security clearances are regularly withdrawn when they are no longer justified, or when the person holding them is determined to be too great a security risk.
In many democratic nations, press credentials are not required at the national or federal level for any publication of any kind. However, individual corporations, and certain government or military entities require press credentials, such as a press pass, as a formal invitation to members of the press which grants them rights to photographs or videos, press conferences, or interviews. Press credentials indicate that a person has been verified as working for a known publication, and holding a press pass typically allows that person special treatment or access rights.
Some governments impose restrictions on who may work as a journalist, requiring anyone working for the press to carry government-issued credentials. Restricting press credentials can be problematic because of its limitations on freedom of the press, particularly if government leaders selectively grant, withhold, or withdraw press credentials to disallow critique of government policy. Any press coverage published under governments that restrict journalism in this way is often treated with skepticism by others, and may not be considered any more truthful or informative than propaganda.
Some trades and professions in some jurisdictions require special credentials of anyone practicing the trade or profession. These credentials may or may not be associated with specific competencies or skills. In some cases, they exist mainly to control the number of people who are allowed to exercise a trade or profession, in order to control salaries and wages.
Persons acting as merchants, freelancers, etc., may require special credentials in some jurisdictions as well. Here again, the purpose is mainly to control the number of people working in this way, and sometimes also to track them for tax-reporting or other purposes like people evaluation.
The academic and professional world makes very extensive use of credentials, such as diplomas, degrees, certificates, and certifications, in order to attest to the completion of specific training or education programs by students, to attest to their successful completion of tests and exams, and to provide independent validation of an individual's possession of the knowledge, skills, and ability necessary to practice a particular occupation competently, (for example: Arun Paul MSW, MPHIL).
Documentation of academic and professional credentials usually consists of a printed, formal document. The issuing institution often maintains a record of the credential as well. Academic credentials are normally valid for the lifetime of the person to whom they are issued. Professional certifications are normally valid for a limited number of years, based on the pace of change in the certified profession, and require periodic re-certification through re-examination (to demonstrate continuing competency as occupational standards of practice evolve) or continuing professional development (to demonstrate continually enhanced competency). [2]
Acquisition of these credentials often leads to increased economic mobility and work opportunity, especially for low-income people. A general term for academic credentials in the form of a resume is Curriculum vitae, often abbreviated as CV. [3]
Titles are credentials that identify a person as belonging to a specific group, such as nobility or aristocracy, or a specific command grade in the military, or in other largely symbolic ways. They may or may not be associated with specific authority, and they do not usually attest to any specific competence or skill (although they may be associated with other credentials that do). A partial list of such titles includes.
Dynamics:
In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.
Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.
CISSP is an independent information security certification granted by the International Information System Security Certification Consortium, also known as ISC2.
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.
A digital identity is data stored on computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.
Identity document forgery is the process by which identity documents issued by governing bodies are illegally copied and/or modified by persons not authorized to create such documents or engage in such modifications, for the purpose of deceiving those who would view the documents about the identity or status of the bearer. The term also encompasses the activity of acquiring identity documents from legitimate bodies by falsifying the required supporting documentation in order to create the desired identity.
In the United States, identity documents are typically the regional state-issued driver's license or identity card, while also the Social Security card and the United States passport card may serve as national identification. The United States passport itself also may serve as identification. There is, however, no official "national identity card" in the United States, in the sense that there is no federal agency with nationwide jurisdiction that directly issues an identity document to all US citizens for mandatory regular use.
A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.
A password manager is a software program to prevent password fatigue by automatically generating, autofilling and storing passwords. It can do this for local applications or web applications such as online shops or social media. Web browsers tend to have a built-in password manager. Password managers typically require a user to create and remember a single password to unlock to access the stored passwords. Password managers can integrate multi-factor authentication.
A gatekeeper is a person who controls access to something, for example via a city gate or bouncer, or more abstractly, controls who is granted access to a category or status. Gatekeepers assess who is "in or out", in the classic words of management scholar Kurt Lewin.
Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.
Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is a proof of qualification, competence, or clearance that is attached to a person. Also, digital credentials prove something about their owner. Both types of credentials may contain personal information such as the person's name, birthplace, birthdate, and/or biometric information such as a picture or a finger print.
There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.
Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.
The Merchant Mariner Credential (MMC) is a credential issued by the United States Coast Guard in accordance with guidelines of the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers (STCW) to United States seafarers in order to show evidence of a mariner's qualifications. It is the standard documentation required for all crew members of U.S. ships for all vessels required to operate with a licensed Master or Operator, regardless of size. The MMC replaced the Merchant Mariner's Document, merchant mariner license, Certificate of Registry, and STCW Certificate.
The Biofeedback Certification International Alliance (BCIA) is an organization that issues certificates for biofeedback, which is "gaining awareness of biological processes".
A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate. Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought. It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of identification, authentication and authorization. Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.
Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.
Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials that are available across multiple devices are commonly referred to as passkeys.