As per NIST Special Publication (SP) 800-63-4, which provides digital identity guidance, mobile credentials are digitally stored authentication credentials on mobile devices (e.g., smartphones, tablets, wearables) that enable identity verification for accessing systems, applications, and physical locations. These credentials leverage cryptographic mechanisms and secure storage to ensure authentication and authorization while maintaining high levels of security and privacy.

Mobile credentials can serve as:

• Authentication tokens for logging into applications.
• Derived credentials issued based on an existing identity proofing process.
• Digital identity cards for accessing physical or logical resources.

Types of Mobile Credentials

OTPs: A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session.

Consent-Based Notifications: Notifications sent for consent of the user for approving an authentication request.

PKI Credential: A credential used for the certificate-based login requests received as consent requests or push notifications from applications for passwordless authentication.

Derived PIV Credentials (DPCs): Used in federal agencies as a mobile alternative to PIV/CAC cards as defined in the standard NIST SP 800-157. These credentials are issued leveraging the identity proofing and vetting of existing PIV credentials. They are stored in a secure enclave or trusted platform module (TPM) to prevent unauthorized access. These credentials are used for authentication in federal agencies and secure enterprise environments. For example, a government employee accesses a secure system using a mobile device with a Derived PIV Credential.

Derived FIDO2 Credentials (DFCs): A new form of passwordless authentication method that complies with NIST SP 800-157 and also the FIDO2 specifications. These credentials are derived by verifying the PIV/CAC cards and allow users to authenticate and access secure systems or services without requiring the PIV card. They enable you to leverage common devices to easily authenticate to the platform or other relying parties in both mobile and desktop environments.

FIDO2/WebAuthn Credentials: Defined in the FIDO2 specification, FIDO2 credentials enable passwordless authentication using biometric authentication (fingerprint, face recognition, PIN) or a cryptographic key stored on the mobile device. These credentials can be used in AAL2 and AAL3 authentication levels under NIST SP 800-63-4.

Mobile Digital Identity Cards: Digital versions of government IDs or corporate badges such mobile PIV ID, Mobile Driver's Licenses (mDLs) based on ISO 18013-5.

Mobile credentials provide secure, cryptographic-based authentication for digital identity verification, offering strong security and usability. Organizations implementing mobile credentials must follow NIST guidelines to ensure compliance, security, and resilience against cyber threats.