Derived Credentials: Pros and Cons


Usernames and passwords, no matter how many special characters, capitalized letters and numbers- are ineffective. The Target breach in 2013, Office of Personnel Management (OPM) breach in 2015 and HBO hack in 2017 all started when login credentials (usernames and passwords) were stolen after someone, typically a third-party contractor, was unknowingly hacked. As with anything, you have other options for logging in and accessing information.

Recently, biometrics have taken the lead because our mobile devices are getting quite fancy, but let’s talk about a couple of other options- smart cards and derived credentials.These tools can be used together or independently. Smart cards and derived credentials are a method of two-factor or multi-factor authentication (using something you know with something you have). These methods aren’t as James Bond-esque, but they are effective because they’re much harder to replicate than usernames and passwords. 

What are Smart Cards? 
The US Government uses CAC or PIV cards with PINs, but you don’t have to be a government agency to implement smartcards into your work environment. To use a smartcard for logins you will need hardware, such as our smartcard readers for Apple and Android mobile devices.

What are Derived Credentials?
Derived credentials are used, like any other login to gain access to apps and information. Each credential created is unique to the user and is harder to replicate because the credential is something you physically have with something you know (and they can be encrypted)- unlike your username and password, that you’ve probably been using for more than a decade. In most government use cases the credentials are derived from the user’s CAC or PIV card (smartcard)- but you don’t have to have a smartcard to use derived credentials.

Most commercial organizations don’t use smartcards and can pay for each employee to have a derived credential created. The credentials are stored in a secure area on a mobile device and can be used to securely log into apps that have been granted permission to use the credentials.

Smartcard and Derived Credentials Pros:

  • Smartcards and derived credentials are harder to replicate, making them more secure than a username and password
  • Helpful for employees working remotely (ex. deployed military or third-party contractors)
  • Efficient and effective authentication for mobile devices
  • You don’t have to have a smartcard for a derived credential to be created- you can use a company like Entrust
  • Can be used as an alternate login for a desktop or network

Smartcard and Derived Credentials Cons:

  • Derived credentials can be pricey to create and distribute throughout an organization or company, if you’re not using a smartcard
  • The need of additional hardware and software if you’re using a smartcard
  • The threat of rogue applications compromising the secure area where the credentials are stored 

Our Sub Rosa and Sub Rosa Pro (available for Apple and Android) allow for users to log in using their smartcard or derived credentials. Users are also able to access Outlook Web Access (OWA), sign/encrypt/decrypt email, sign documents and access their OWA calendar. To learn more about all of our simple and secure solutions, email