Authentication and access control

Terms related to authentication, including security definitions about passwords and words and phrases about proving identity.
  • access control list (ACL) - An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular object or system resource.
  • active attack - An active attack is a network exploit in which a hacker attempts to make changes to data on the target or data en route to the target.
  • Active Directory Domain Services (AD DS) - Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store information about resources from a network, as well as application data, in a distributed database.
  • Active Directory Federation Services (AD FS) - Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends end users' single sign-on (SSO) access to applications and systems outside the corporate firewall.
  • adaptive multifactor authentication (adaptive MFA) - Adaptive multifactor authentication (MFA) is a security mechanism intended to authenticate and authorize users through a variety of contextual authentication factors.
  • Amazon Cognito - Amazon Cognito is an Amazon Web Services product that controls user authentication and access for mobile applications on internet-connected devices.
  • authentication - Authentication is the process of determining whether someone or something is who or what they say they are.
  • authentication factor - An authentication factor is a category of credential that is intended to verify, sometimes in combination with other factors, that an entity involved in some kind of communication or requesting access to some system is who, or what, they are declared to be.
  • authentication server - An authentication server is an application that facilitates the authentication of an entity that attempts to access a network.
  • Automatic Identification and Data Capture (AIDC) - Automatic Identification and Data Capture (AIDC) is a broad set of technologies used to collect information from an object, image or sound without manual data entry.
  • biometric authentication - Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify they are who they say they are.
  • biometric payment - Biometric payment is a point-of-sale (POS) technology that uses biometric authentication physical characteristics to identify the user and authorize the deduction of funds from a bank account.
  • biometric verification - Biometric verification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits.
  • biometrics - Biometrics is the measurement and statistical analysis of people's unique physical and behavioral characteristics.
  • bitcoin mining - Bitcoin mining is a type of cryptomining in which new bitcoin are entered into circulation and bitcoin transactions are verified and added to the blockchain.
  • brute-force attack - A brute-force attack is a trial-and-error method used by application programs to decode login information and encryption keys to use them to gain unauthorized access to systems.
  • BYOI (bring your own identity) - BYOI (bring your own identity) is an approach to digital authentication in which an end user's username and password are managed by a third party.
  • channel partner portal - A channel partner portal is a web-based application that provides a vendor's established partners (usually distributors, resellers, service providers or other strategic partners) with access to deal registration, marketing resources, pricing and sales information for products and services, as well as technical details and support that are unavailable to other end users.
  • CHAP (Challenge-Handshake Authentication Protocol) - CHAP (Challenge-Handshake Authentication Protocol) is a challenge and response authentication method that Point-to-Point Protocol (PPP) servers use to verify the identity of a remote user.
  • claims-based identity - Claims-based identity is a means of authenticating an end user, application or device to another system in a way that abstracts the entity's specific information while providing data that authorizes it for appropriate and relevant interactions.
  • cloud security - Cloud security, also known as 'cloud computing security,' is a set of policies, practices and controls deployed to protect cloud-based data, applications and infrastructure from cyberattacks and cyberthreats.
  • cloud workload protection - Cloud workload protection is the safeguarding of workloads spread out across multiple cloud environments.
  • Common Access Card (CAC) - A Common Access Card (CAC) is a smart card issued by the Unites States Department of Defense for accessing DOD systems and facilities.
  • continuous authentication - Continuous authentication is a method of verification aimed at providing identity confirmation and cybersecurity protection on an ongoing basis.
  • Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) - Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an encryption protocol based on the U.
  • credential stuffing - Credential stuffing is the practice of using stolen login information from one account to gain access to accounts on a number of sites through automated login.
  • credential theft - Credential theft is a type of cybercrime that involves stealing a victim's proof of identity.
  • cryptogram - A cryptogram is a word puzzle featuring encrypted text that the user decrypts to reveal a message of some sort.
  • CSR (Certificate Signing Request) - A Certificate Signing Request (CSR) is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA).
  • data masking - Data masking is a method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training.
  • decentralized identity - Decentralized identity is an approach to identify and authenticate users and entities without a centralized authority.
  • default password - A default password is a standard preconfigured password for a device or software.
  • deprovisioning - Deprovisioning is the part of the employee lifecycle in which access rights to software and network services are taken away.
  • digital identity - A digital identity is the body of information about an individual, organization or electronic device that exists online.
  • Digital Signature Standard (DSS) - The Digital Signature Standard (DSS) is a digital signature algorithm (DSA) developed by the U.
  • Directory Services Restore Mode (DSRM) - Directory Services Restore Mode (DSRM) is a Safe Mode boot option for Windows Server domain controllers.
  • disposable email - What is a disposable email?Disposable email is a service that allows a registered user to receive email at a temporary address that expires after a certain time period elapses.
  • Duo Security - Duo Security is a vendor of cloud-based two-factor authentication products.
  • dynamic multipoint VPN (DMVPN) - A dynamic multipoint virtual private network (DMVPN) is a secure network that exchanges data between sites/routers without passing traffic through an organization's virtual private network (VPN) server or router located at its headquarters.
  • e-signature (electronic signature) - An e-signature (electronic signature) is a digital version of a traditional pen and ink signature.
  • e-ticket (electronic ticket) - An e-ticket (electronic ticket) is a paperless electronic document used for ticketing purposes, such as airfare or concert admission.
  • encryption key management - Encryption key management is the practice of generating, organizing, protecting, storing, backing up and distributing encryption keys.
  • enhanced driver's license (EDL) - An enhanced driver's license (EDL) is a government-issued permit that, in addition to the standard features of a driver's license, includes an RFID tag that allows officials to pull up the owner's biographical and biometric data.
  • Extensible Authentication Protocol (EAP) - The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands the authentication methods used by the Point-to-Point Protocol (PPP), a protocol often used when connecting a computer to the internet.
  • facial recognition - Facial recognition is a category of biometric software that maps an individual's facial features to confirm their identity.
  • federated identity management (FIM) - Federated identity management (FIM) is an arrangement between multiple enterprises or domains that enables their users to use the same identification data (digital identity) to access all their networks.
  • FIDO (Fast Identity Online) - FIDO (Fast Identity Online) is a set of technology-agnostic security specifications for strong authentication.
  • four-factor authentication (4FA) - Four-factor authentication (4FA) is the use of four types of identity-confirming credentials, typically categorized as knowledge, possession, inherence and location factors.
  • fraud detection - Fraud detection is a set of activities undertaken to prevent money or property from being obtained through false pretenses.
  • full-disk encryption (FDE) - Full-disk encryption (FDE) is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive.
  • Google Authenticator - Google Authenticator is a mobile security application that provides a second type of confirmation for websites and online services that use two-factor authentication (2FA) to verify a user's identity before granting him or her access to secure resources.
  • hardware security module (HSM) - A hardware security module (HSM) is a physical device that provides extra security for sensitive data.
  • Hash-based Message Authentication Code (HMAC) - Hash-based Message Authentication Code (HMAC) is a message encryption method that uses a cryptographic key in conjunction with a hash function.
  • identity management (ID management) - Identity management (ID management) is the organizational process for ensuring individuals have the appropriate access to technology resources.
  • identity provider - An identity provider (IdP) is a system component that provides an end user or internet-connected device with a single set of login credentials that ensures the entity is who or what it says it is across multiple platforms, applications and networks.
  • identity theft - Identity theft, also known as identity fraud, is a crime in which an imposter obtains key pieces of personally identifiable information (PII), such as Social Security or driver's license numbers, to impersonate someone else.
  • initialization vector - An initialization vector (IV) is an arbitrary number that can be used with a secret key for data encryption to foil cyber attacks.
  • Java Authentication and Authorization Service (JAAS) - The Java Authentication and Authorization Service (JAAS) is a set of application program interfaces (APIs) that can determine the identity of a user or computer attempting to run Java code, and ensure that the entity has the privilege or permission to execute the functions requested.
  • key fob - A key fob is a small, programmable device that provides access to a physical object.
  • key-value pair (KVP) - A key-value pair (KVP) is a set of two linked data items: a key, which is a unique identifier for some item of data, and the value, which is either the data that is identified or a pointer to the location of that data.
  • knowledge-based authentication - Knowledge-based authentication (KBA) is an authentication method in which users are asked to answer at least one secret question.
  • LDAP injection - LDAP (Lightweight Directory Access Protocol) injection is a type of security exploit that is used to compromise the authentication process used by some websites.
  • LEAP (Lightweight Extensible Authentication Protocol) - LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections.
  • logon (or login) - In computing, a logon is a procedure that enables an entity to access a secure system such as an operating system, application, service, website or other resource.
  • machine authentication - Machine authentication is the authorization of an automated human-to-machine or machine-to-machine (M2M) communication through verification of a digital certificate or digital credentials.
  • man-in-the-middle attack (MitM) - A man-in-the-middle (MitM) attack is a type of cyber attack in which the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other.
  • mandatory access control (MAC) - Mandatory access control (MAC) is a security strategy that restricts the ability individual resource owners have to grant or deny access to resource objects in a file system.
  • Massachusetts data protection law - What is the Massachusetts data protection law?The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents.
  • message authentication code (MAC) - A message authentication code (MAC) is a cryptographic checksum applied to a message in network communication to guarantee its integrity and authenticity.
  • Microsoft Azure Key Vault - Microsoft Azure Key Vault is a cloud-based security service offered by Microsoft as part of its Azure platform.
  • Microsoft Network Device Enrollment Service (NDES) - Microsoft Network Device Enrollment Service (NDES) is a security feature in Windows Server 2008 R2 and later Windows Server operating versions.
  • Microsoft Windows Azure Active Directory (Windows Azure AD) - Microsoft Windows Azure Active Directory (Windows Azure AD or Azure AD) is a cloud service that provides administrators with the ability to manage end-user identities and access privileges.
  • Microsoft Windows Hello - Microsoft Windows Hello is a biometric identity and access control feature that supports fingerprint scanners, iris scanners and facial recognition technology on compatible devices running Windows.
  • mimikatz - Mimikatz is an open source malware program used by hackers and penetration testers to gather credentials on Windows computers.
  • mobile authentication - Mobile authentication is the verification of a user's identity via a mobile device using one or more authentication methods for secure access.
  • multifactor authentication - Multifactor authentication (MFA) is an account login process that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login or other transaction.
  • mutual authentication - Mutual authentication, also called two-way authentication, is a process or technology in which both entities in a communications link authenticate each other.
  • national identity card - A national identity card is a portable document, typically a plasticized card with digitally embedded information, that is used to verify aspects of a person's identity.
  • nonrepudiation - Nonrepudiation ensures that no party can deny that it sent or received a message via encryption and/or digital signatures or approved some information.
  • OAuth (Open Authorization) - OAuth (Open Authorization) is an open standard authorization framework for token-based authorization on the internet.
  • one-time password - A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login one-time password session.
  • Open System Authentication (OSA) - Open System Authentication (OSA) is a process by which a computer could gain access to a wireless network that uses the Wired Equivalent Privacy (WEP) protocol.
  • OpenID (OpenID Connect) - OpenID Connect is an open specification for authentication and single sign-on (SSO).
  • orphan account - An orphan account, also referred to as an orphaned account, is a user account that can provide access to corporate systems, services and applications but does not have a valid owner.
  • out-of-band authentication - Out-of-band authentication is a type of two-factor authentication (2FA) that requires a secondary verification method through a separate communication channel along with the typical ID and password.
  • pass the hash attack - A pass the hash attack is an exploit in which an attacker steals a hashed user credential and -- without cracking it -- reuses it to trick an authentication system into creating a new authenticated session on the same network.
  • passphrase - A passphrase is a sentencelike string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack.
  • password - A password is a string of characters used to verify the identity of a user during the authentication process.
  • password cracking - Password cracking is the process of using an application program to identify an unknown or forgotten password to a computer or network resource.
  • password entropy - Password entropy is a measurement of a password's strength based on how difficult it would be to crack the password through guessing or a brute-force attack.
  • password manager - A password manager is a technology tool that helps internet users create, save, manage and use passwords across different online services.
  • password salting - Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them.
  • password spraying - Password spraying is a cyberattack tactic that involves a hacker using a single password to try and break into multiple target accounts.
  • passwordless authentication - Passwordless authentication is signing into a service without using a password.
  • perfect forward secrecy (PFS) - Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers.
  • personal identity verification (PIV) card - A personal identity verification (PIV) card is a United States Federal smart card that contains the necessary data for the cardholder to be granted to Federal facilities and information systems and assure appropriate levels of security for all applicable Federal applications.
  • physiognomy - Physiognomy is a pseudoscience based on associating personal characteristics and traits with physical differences, and especially with elements of people's faces.
  • PKI (public key infrastructure) - PKI (public key infrastructure) is the underlying framework that enables entities -- users and servers -- to securely exchange information using digital certificates.
  • possession factor - The possession factor, in a security context, is a category of user authentication credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with a software token.
  • Pretty Good Privacy (PGP) - Pretty Good Privacy or PGP was a popular program used to encrypt and decrypt email over the internet, as well as authenticate messages with digital signatures and encrypted stored files.