NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION
IA-5(10) — Dynamic Credential Binding
Bind identities and authenticators dynamically using the following rules: {{ insert: param, ia-05.10_odp }}.
Supplemental Guidance
Authentication requires some form of binding between an identity and the authenticator that is used to confirm the identity. In conventional approaches, binding is established by pre-provisioning both the identity and the authenticator to the system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the system. New authentication techniques allow the binding between the identity and the authenticator to be implemented external to a system. For example, with smartcard credentials, the identity and authenticator are bound together on the smartcard. Using these credentials, systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.
Practitioner Notes
This enhancement requires dynamic credential binding — associating credentials with identity in real time rather than through static, pre-configured mappings.
Example 1: Use FIDO2 security keys with Azure AD that dynamically bind the cryptographic credential to the user's identity during registration, with no shared secrets.
Example 2: Implement just-in-time certificate issuance through your PKI where short-lived certificates are issued dynamically for each session rather than long-lived static certs.