NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION
IA-5(10) — Dynamic Credential Binding
Bind identities and authenticators dynamically using the following rules: organization-defined parameter.
Supplemental Guidance
Authentication requires some form of binding between an identity and the authenticator that is used to confirm the identity. In conventional approaches, binding is established by pre-provisioning both the identity and the authenticator to the system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the system. New authentication techniques allow the binding between the identity and the authenticator to be implemented external to a system. For example, with smartcard credentials, the identity and authenticator are bound together on the smartcard. Using these credentials, systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.
Practitioner Notes
This enhancement requires dynamic credential binding — associating credentials with identity in real time rather than through static, pre-configured mappings.
Example 1: Use FIDO2 security keys with Azure AD that dynamically bind the cryptographic credential to the user's identity during registration, with no shared secrets.
Example 2: Implement just-in-time certificate issuance through your PKI where short-lived certificates are issued dynamically for each session rather than long-lived static certs.