diff --git a/lib/models/user.js b/lib/models/user.js
index 877eb36b..e1518bd4 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -26,22 +26,11 @@ var properties = {
     realm: {type: String},
     username: {type: String},
     password: {type: String, required: true},
+    credentials: Object, // deprecated, to be removed in 2.x
+    challenges: Object, // deprecated, to be removed in 2.x
     email: {type: String, required: true},
     emailVerified: Boolean,
     verificationToken: String,
-
-    credentials: [
-        'UserCredential' // User credentials, private or public, such as private/public keys, Kerberos tickets, oAuth tokens, facebook, google, github ids
-    ],
-    challenges: [
-        'Challenge' // Security questions/answers
-    ],
-    // https://en.wikipedia.org/wiki/Multi-factor_authentication
-    /*
-    factors: [
-        'AuthenticationFactor'
-    ],
-    */
     status: String,
     created: Date,
     lastUpdated: Date
diff --git a/test/user.test.js b/test/user.test.js
index e0c53e32..1329f510 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -53,6 +53,22 @@ describe('User', function(){
       });
     });
 
+    it('credentials/challenges are object types', function (done) {
+      User.create({email: 'f1@b.com', password: 'bar1',
+        credentials: {cert: 'xxxxx', key: '111'},
+        challenges: {x: 'X', a: 1}
+      }, function (err, user) {
+        assert(!err);
+        User.findById(user.id, function (err, user) {
+          assert(user.id);
+          assert(user.email);
+          assert.deepEqual(user.credentials, {cert: 'xxxxx', key: '111'});
+          assert.deepEqual(user.challenges, {x: 'X', a: 1});
+          done();
+        });
+      });
+    });
+
     it('Email is required', function (done) {
       User.create({password: '123'}, function (err) {
         assert(err);