Audit Trail (Credential)
A credential audit trail is the documented record of all actions taken on authentication secrets — creation, access, modification, rotation, and revocation — required by HIPAA, PCI-DSS, SOC 2, and ISO 27001 as evidence of controlled access management.
A credential audit trail is a chronological, tamper-evident record of all significant events related to authentication secrets: creation, last use, modification, rotation, revocation, and associated compliance certification. Compliance frameworks require audit trails to demonstrate that access controls are operating as documented.
What must a credential audit trail include?
A complete credential audit trail includes: the credential identifier (hash, not plaintext), creation timestamp and method, the actor who created or modified the credential, the compliance standard used at creation, all access events (timestamp, actor, system), rotation events and reason, revocation events and reason, and the compliance certificate reference URL. Never include plaintext credentials in audit logs — if logs are exfiltrated, plaintext credentials are immediately exploitable.
Audit trail requirements by framework
HIPAA §164.312(b) requires an audit control standard: hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI. PCI-DSS Requirement 10 requires audit log retention for at least 12 months (3 months immediately available). SOC 2 CC7.2 requires that security events be detected, logged, and reviewed. ISO 27001 A.12.4.1 requires event logging for all privileged access and authentication events.
The role of compliance certificates in audit trails
PassGeni compliance certificates function as point-in-time audit evidence for credential creation events. The certificate URL, when included in an audit trail record, allows auditors to verify independently that the credential was: generated via CSPRNG, met the required entropy threshold, and satisfied the named compliance standard. Certificates complement access logs — they cover the creation event; your identity management system covers subsequent access events.
How long must audit trails be retained?
HIPAA requires 6 years. PCI-DSS requires 12 months (3 months immediately accessible). SOC 2 requires retention matching your audit period (typically 12 months). ISO 27001 requires retention as defined in your information security policy, typically 12–24 months. If you are subject to multiple frameworks, retain for the longest required period — typically 6 years for HIPAA-covered entities.
Frequently asked questions
Is an audit trail the same as an access log?
Access logs record who accessed a system and when. An audit trail is broader — it covers all significant security events including access, modification, rotation, revocation, policy changes, and failed authentication attempts. Most compliance frameworks require both.
Can PassGeni certificates serve as audit trail evidence?
Yes, in the specific sense of creation event evidence. A PassGeni certificate URL in your audit log proves that at a specific timestamp, a credential was created with a specific entropy score meeting a named standard. It does not replace access logs for subsequent events.
Do audit trails need to be immutable?
Audit trails should be tamper-evident at minimum. PCI-DSS Requirement 10.3 explicitly requires that audit logs be protected against modification. SOC 2 auditors look for log integrity controls. Storing logs in a write-once system or using cryptographic log chaining (like PassGeni's ES256-signed certificates) satisfies this requirement.
What should not be included in an audit trail?
Never include: plaintext passwords or credentials, full cryptographic keys, raw PII beyond what is necessary to identify the actor, or session tokens. Include credential hashes (SHA-256) for identification, never the credential itself.
Generate a compliant credential.
Free. Client-side. Zero storage.