Credential Management System

A Credential Management System (CMS) is a comprehensive framework designed to manage the issuance and lifecycle management of various types of identities and credentials. These identities can include Personal Identity Verification (PIV) cards, Common Identity Verification (CIV) tokens, FIDO2 passkeys, and mobile identities. The CMS ensures that each identity is securely created, distributed, and maintained throughout its lifecycle, including registration, usage, renewal, and expiration. It also supports the revocation of compromised or expired identities. By managing these credentials, the CMS helps ensure secure access to systems and services, enabling users to authenticate and authorize actions while maintaining compliance with security policies.

The Unifyia platform’s CMS allows organizations to manage the following key functions:

Issuance of Credentials

The CMS is responsible for generating and issuing various types of digital credentials. These include:

  • PIV (Personal Identity Verification): A secure, government-approved standard used for identity authentication, primarily in federal agencies. It typically involves a physical smart card with embedded cryptographic elements.
  • CIV (Commercial Identity Verification): A secure credential (smart card) that leverages FIPS-201 and the PIV Specifications for commercial use.
  • FIDO2 Passkeys: A modern, passwordless authentication method based on the FIDO (Fast Identity Online) standards. Passkeys replace traditional passwords with secure cryptographic keys, making authentication both more secure and user-friendly.
  • Mobile Identities: Digital wallet credentials on mobile apps such as the Unifyia ID Wallet app that are used for authentication (confirm identity) in situations such as accessing secure facilities/systems, registering for services, or completing transactions online without the need for any physical device.

Lifecycle Management

The CMS not only manages the issuance of credentials but also ensures their proper maintenance throughout their lifecycle. This includes:

  • Activation: Enabling the credential for use once issued, ensuring it can be securely linked to the user’s identity.
  • Renewal: Managing the timely renewal of credentials and certificates when they are near expiration, ensuring continuous access while maintaining security.
  • Suspension/Revocation: When a credential is lost, stolen, or compromised, the CMS is responsible for promptly suspending or revoking the credential, ensuring that unauthorized access is prevented.
  • Expiration: Automatically deactivating credentials after their validity period, requiring users to go through the issuance process again.

Secure Storage and Access Control

The CMS securely stores identity data in a manner that prevents unauthorized access. This may involve encryption, multi-factor authentication, and role-based access control (RBAC). Only authorized personnel are allowed to manage or modify credentials.

Authentication and Access Control

Once a credential is issued, it can be used for secure authentication across various systems, networks, and services. The CMS ensures that each credential is used in compliance with defined access control policies, which may vary depending on the sensitivity of the resource being accessed.

Federated Authentication

The CMS may also support federated authentication mechanisms, enabling users to access services across different platforms using the same credentials, further simplifying access management.

Audit and Compliance

The CMS maintains logs of all credential-related activities, including issuance, updates, renewals, and revocations. These logs are essential for auditing purposes and ensuring compliance with security standards and regulations (e.g., NIST, GDPR, HIPAA). Regular audits help detect and prevent unauthorized activity and ensure that the system is being used correctly.

Interoperability

The Unifyia is one of its kind modern CMS platform that is designed to be interoperable with a wide range of identity standards and systems. This includes support for protocols such as SAML, OAuth, SCIM, and OpenID Connect for identity federation and access management.

A Credential Management System serves as a cornerstone of modern identity and access management. It streamlines the entire process of credential issuance and lifecycle management for various identity types, providing a secure, efficient, and compliant means to ensure only authorized access to critical systems and data.