diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index da2a15cfc2..074893fe5a 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -3536,7 +3536,8 @@ psa_status_t psa_key_derivation_output_bytes(
  *     - #PSA_KEY_TYPE_ARC4;
  *     - #PSA_KEY_TYPE_CAMELLIA;
  *     - #PSA_KEY_TYPE_DERIVE;
- *     - #PSA_KEY_TYPE_HMAC.
+ *     - #PSA_KEY_TYPE_HMAC;
+ *     - #PSA_KEY_TYPE_PASSWORD_HASH.
  *
  * - For ECC keys on a Montgomery elliptic curve
  *   (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
@@ -3722,12 +3723,13 @@ psa_status_t psa_key_derivation_verify_bytes(
  * psa_key_derivation_abort().
  *
  * \param[in,out] operation The key derivation operation object to read from.
- * \param[in] expected      A key of type #PSA_KEY_TYPE_RAW_DATA containing
- *                          the expected output. Its policy must include the
- *                          #PSA_KEY_USAGE_VERIFY_DERIVATION flag and the
- *                          permitted algorithm must match the operation.
- *                          The value of this key was likely computed by a
- *                          previous call to psa_key_derivation_output_key().
+ * \param[in] expected      A key of type #PSA_KEY_TYPE_PASSWORD_HASH
+ *                          containing the expected output. Its policy must
+ *                          include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag
+ *                          and the permitted algorithm must match the
+ *                          operation. The value of this key was likely
+ *                          computed by a previous call to
+ *                          psa_key_derivation_output_key().
  *
  * \retval #PSA_SUCCESS
  * \retval #PSA_ERROR_INVALID_SIGNATURE
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index faccaf6334..917a0a2633 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -443,12 +443,20 @@
  */
 #define PSA_KEY_TYPE_PASSWORD                       ((psa_key_type_t)0x1203)
 
+/** A secret value that can be used to verify a password hash.
+ *
+ * The key policy determines which key derivation algorithm the key
+ * can be used for, among the same permissible subset as for
+ * #PSA_KEY_TYPE_PASSWORD.
+ */
+#define PSA_KEY_TYPE_PASSWORD_HASH                  ((psa_key_type_t)0x1205)
+
 /** A secret value that can be used in when computing a password hash.
  *
  * The key policy determines which key derivation algorithm the key
  * can be used for, among the subset of algorithms that can use pepper.
  */
-#define PSA_KEY_TYPE_PEPPER                         ((psa_key_type_t)0x1205)
+#define PSA_KEY_TYPE_PEPPER                         ((psa_key_type_t)0x1206)
 
 /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
  *
@@ -2204,7 +2212,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key )
  *
  * This flag allows the key to be used:
  *
- * - for a key of type #PSA_KEY_TYPE_RAW_DATA, as the \c key argument of
+ * - for a key of type #PSA_KEY_TYPE_PASSWORD_HASH, as the \c key argument of
  *   psa_key_derivation_verify_key();
  * - for a key of type #PSA_KEY_TYPE_PASSWORD (or #PSA_KEY_TYPE_DERIVE), as
  *   the input to psa_key_derivation_input_key() at the step