While SP 800-63B does not contain its own terminology section (a common glossary may be found in SP 800-63-3 Appendix A), certain authentication-related terms are used in ways that may be unfamiliar to some readers. This section describes some of that usage.
The use of the term authenticator is different in SP 800-63B from earlier editions of SP 800-63. In previous editions, whatever contained the authentication secret (or in some cases, as with passwords, the authentication secret itself) was referred to as a token. An authenticator was the output of a token, e.g., the one-time password generated by an OTP device.
However, in federated identity systems (covered in SP 800-63C), the term token is commonly applied to an artifact transmitted between systems to convey an authorization or authentication result. In order to avoid conflicting use of the term, SP 800-63B has adopted the term authenticator to replace its former use of token and the term authenticator output to replace its former usage of authenticator. While this may be jarring to some users of the earlier SP 800-63, it is expected that in the long term this will cause less confusion than to continue with the former usage.
While in the past a subscriber might be issued (provided) one or more authenticators as part of the enrollment process, there is a trend toward the use of so-called bring-your-own authenticators, which are supplied by the subscriber and may in some cases be used with multiple CSPs. As a result, rather than referring to authenticator issuance, SP 800-63B refers to the binding rather than the issuance of authenticators to include both issued and user-provided authenticators. There are other types of binding as well, which should be clear from the context in which they are used.
The term credential has several meanings in identity management and more broadly in society. A newly-assigned ambassador is described as presenting their credentials (a letter of introduction from their government) at a new posting. One might also describe a diploma, passport, driver’s license, or PIV card as credentials.
Another meaning, used in this document and in the SP 800-63-3 document suite, is that a credential is an association of a specific individual and their identifying attributes with one or more authenticators. A credential is established as a result of identity proofing and authenticator binding. The authoritative instance of a credential is a data structure that is securely maintained by the CSP.
In some cases—notably, with PIV cards—copies of subject (user) attributes are stored on an authenticator, in most cases cryptographically signed by the CSP or other authority. This is useful when it isn’t possible to communicate with the CSP, e.g., in disaster situations. However, attributes can change so such copies, even if accompanied by valid signatures, might be considered less authoritative if they can’t be verified online with the CSP.
It isn’t possible to entirely avoid the usage of credential as a physical object held by the claimant. SP 800-63B attempts be consistent in its use of the term in the above-described way, rather than as a user-retained physical credential.