Top Things You Should Know: Derived Credentials and Workspace ONE

Apr 25, 2019
Kelly Masters


Kelly Masters is a Senior Product Marketing Manager for the VMware Workspace ONE platform, working with partners and customers across the globe to drive digital transformation. Kelly has a passion for technology, art of all kinds, and traveling. When she isn’t working, Kelly is likely practicing piano, writing, or exploring San Francisco.

Share This Post On

Can I get a show of virtual hands… which of you does not want single sign-in across all of your corporate resources? Did you know single sign-on (SSO) is one of the top things employees desired to improve their digital experience at work? Not only do the employees benefit but SSO drastically reduces the number of help desk calls related to password issues. In many highly regulated organizations, smart cards have become the primary tool for two-factor authentication (the smart card and a user PIN). These smart cards give users the power to access corporate resources by manually inserting the card and entering a PIN, seemingly as simple as SSO…but what if said user forgets this precious hardware…the keys to the corporate castle? And what about accessing corporate resources on mobile?

If you are in any way associated with a government agency or a highly secure organization, chances are you’ve heard of Derived Credentials. If not, lets jump right into it.

What is a Derived Credential?

A Derived Credential, as defined by NIST SP 800-157, is an alternative token, which can be implemented and deployed directly with mobile devices (such as smartphones and tablets). In simpler terms, a Derived Credential is a client certificate that’s issued to the mobile device after an end user has proven their identity by using their existing smart card (i.e. CAC or PIV) during an enrollment process.

What is the value of implementing Derived Credentials?

Derived credentials give highly secure organizations like government agencies a dependent, compliant method for adding strong authentication to mobile devices while also providing a compelling user experience. Derived Credentials also offer organizations a proven alternative to expensive and cumbersome physical identity verification (PIV) card readers that are often used to authenticate into highly sensitive information systems such as government. As I mentioned before, employees are seeking faster, easier authentication into corporate resources and derived credentials provides this.

Read More: “We Put a Smart Card Inside a Mobile Device”

How does VMware support Derived Credentials?

Instead of doing one-off integrations with every Derived Credentials vendor’s proprietary solution within each of our mobile apps, VMWare has built a framework for abstraction that allows every customer to have a very similar experience regardless of what Derived Credential vendor they use in conjunction with Workspace ONE.

We offer a solution for Derived Credentials through our proprietary app, Workspace ONE PIV-D Manager. We’ve partnered with industry leading providers such as Entrust, Intercede, XTEC, Purebred, and more to support a broad range of use cases using Derived Credentials certificates. This includes, but is not limited to, website and email authentication, S/MIME signing and encryption, and desktop login. These are applicable for both native and 3rd party built apps.

What’s the user experience like?

Workspace ONE PIV-D Manager lets your users break free of awkward authentication hardware to seamlessly access corporate resources. It is that simple.

With Entrust Datacard, we’ve made it even more simple. I am excited to share for the first time the latest feature as part of the Workspace ONE PIV-D app, the Bluetooth login feature. The Bluetooth login feature makes it even easier to use your mobile device as an authentication method to access corporate resources on both mobile AND desktop, removing the need for a smartcard.

Want to see how easy this integration is? Check it out in the demo below:

Want more?

To learn more about our Derived Credentials solution click here.

Read More: “We Put a Smart Card Inside a Mobile Device”