Glossary: Authentication

This glossary covers essential cybersecurity and password management terminology from password policies and zero-knowledge encryption to RBAC, API authentication, and compliance frameworks like GDPR and SOC 2.

Adaptive authentication — an authentication method that dynamically adjusts authentication requirements based on risk assessment of login attempts, analyzing factors like user location, device, network, behavior patterns, and access context. Low-risk logins (recognized device, typical location) may require only passwords, while high-risk scenarios (new device, unusual location, suspicious behavior) trigger additional verification like multi-factor authentication or security questions.

Adaptive authentication balances security and user experience by applying stronger authentication only when risk warrants it. Machine learning algorithms analyze authentication patterns to detect anomalies.

Authentication — the security process of verifying that users, applications, or devices are who they claim to be before granting access to systems or data. Authentication methods range from simple passwords to multi-factor authentication combining passwords, biometrics, security tokens, and behavioral analysis. Strong authentication prevents unauthorized access, protects sensitive data, and ensures accountability through verified identities.

Modern authentication protocols include OAuth, SAML, OpenID Connect, and WebAuthn.

Authenticator app — a mobile or desktop application that generates time-based one-time passwords (TOTP) or push notifications for multi-factor authentication. Authenticator apps like Passwork 2FA, Google Authenticator, Microsoft Authenticator, Authy, and Duo provide secure second-factor authentication without SMS vulnerabilities. Users scan QR codes to register accounts, then the app generates rotating six-digit codes every 30 seconds for login verification.

Authenticator apps provide more secure MFA than SMS since codes generate locally and aren't vulnerable to SIM swapping or interception attacks.

Authorization — a security process that determines what authenticated users, applications, or services are permitted to access and what actions they can perform. Authorization occurs after authentication and enforces access control policies based on roles, permissions, attributes, or contexts. Authorization models include role-based access control (RBAC), attribute-based access control (ABAC), and policy-based access control. Authorization systems evaluate user permissions against requested resources, granting or denying access accordingly.

Effective authorization implements the principle of least privilege, providing minimum necessary access for users to perform their functions.

Biometric authentication — an authentication method that verifies user identity using unique biological characteristics like fingerprints, facial recognition, iris scans, or voice patterns. Biometric authentication provides stronger security than passwords since biometric traits are difficult to replicate, steal, or share. Modern devices incorporate biometric sensors (Face ID, Touch ID, Windows Hello) for convenient, passwordless authentication. Biometric authentication enhances security for mobile devices, physical access control, financial transactions, and high-security environments.

Implementation considerations include privacy protection, secure biometric data storage (typically as encrypted templates, not raw images), liveness detection to prevent spoofing, and fallback authentication methods.

Biometric data — unique physical or behavioral characteristics used to identify individuals, including fingerprints, facial features, iris patterns, voice characteristics, typing patterns, and gait. Biometric data enables authentication systems to verify identity with high accuracy. Privacy and security considerations are critical since biometric data is personally identifiable, immutable (you can't change your fingerprints), and sensitive.

Secure biometric systems store encrypted templates derived from biometric data rather than raw images, implement liveness detection to prevent spoofing, and comply with privacy regulations like GDPR and CCPA. Organizations must protect biometric data through encryption, access controls, and secure storage.

Continuous authentication — an authentication method that monitors user behavior and context throughout sessions rather than only at initial login, verifying identity continuously through behavioral biometrics, device signals, and activity patterns. Continuous authentication analyzes typing patterns, mouse movements, navigation behavior, device posture, and environmental factors to detect anomalies indicating account takeover or unauthorized access. If suspicious behavior is detected mid-session, systems can require re-authentication, limit access, or terminate sessions.

Continuous authentication enhances security for sensitive applications, financial services, and healthcare by detecting compromised sessions that passed initial authentication. This approach supports zero-trust security models requiring ongoing verification.

Hardware security key — a physical device providing cryptographic authentication for securing accounts and systems through USB, NFC, or Bluetooth connections. Hardware security keys like YubiKey, Google Titan, and Thetis implement FIDO2/WebAuthn standards for phishing-resistant, passwordless authentication. Security keys generate and store cryptographic keys that never leave the device, providing strong two-factor or passwordless authentication.

Hardware keys resist remote attacks since they require physical possession and can't be phished or intercepted. Organizations deploy hardware security keys for high-security scenarios: privileged access, administrative accounts, sensitive systems, and compliance requirements demanding strong authentication beyond passwords.

Identity and access management (IAM) — policies, processes, and technologies for managing digital identities and controlling access to organizational resources. IAM systems handle user provisioning, authentication, authorization, access control, and deprovisioning across applications and infrastructure. IAM solutions provide single sign-on, multi-factor authentication, role-based access control, privileged access management, and audit logging.

Cloud IAM platforms (AWS IAM, Azure AD, Okta) enable centralized identity management for hybrid and multi-cloud environments.

Identity provider (IdP) — a trusted system that creates, maintains, and manages user identity information while providing authentication services to applications. IdPs centralize user authentication, enabling single sign-on (SSO) across multiple applications and services. Popular identity providers include Okta, Microsoft Azure AD, Google Workspace, Auth0, and on-premises solutions like Active Directory Federation Services.

IdPs authenticate users through passwords, multi-factor authentication, or biometrics, then issue security tokens (SAML assertions, OAuth tokens) that applications trust.

Multi-factor authentication (MFA) — a security method requiring users to verify their identity using two or more independent authentication factors before accessing systems or data. MFA combines something you know (password), something you have (security token, phone), and something you are (biometric). By requiring multiple verification methods, MFA dramatically reduces unauthorized access risks even when passwords are compromised.

Organizations implement MFA to protect sensitive applications, meet compliance requirements (PCI DSS, HIPAA, SOC 2), and prevent account takeovers. Modern MFA solutions support authenticator apps, SMS codes, hardware keys, biometrics, and push notifications for flexible, secure authentication.

OAuth — an open-standard authorization protocol enabling applications to access user resources on other services without sharing passwords. OAuth allows users to grant third-party applications limited access to their accounts through access tokens rather than credentials. For example, OAuth enables "Sign in with Google" functionality where applications receive authorized access without seeing your Google password.

OAuth 2.0, the current version, defines flows for web applications, mobile apps, and server-to-server communication. OAuth focuses on authorization (what you can access) rather than authentication (who you are), though it's often combined with OpenID Connect for complete identity solutions.

SAML (Security Assertion Markup Language) — an XML-based standard for exchanging authentication and authorization data between identity providers and service providers, primarily used for enterprise single sign-on (SSO). SAML enables users to authenticate once with their identity provider (like Okta or Azure AD) and access multiple cloud applications without separate logins. SAML assertions contain user identity information, authentication statements, and authorization attributes.

Organizations use SAML for federated identity management, enabling secure access to SaaS applications while maintaining centralized user management. SAML supports web browser SSO, identity federation, and cross-domain authentication for enterprise environments.

Single sign-on (SSO) — an authentication method that enables users to authenticate once and access multiple applications without re-entering credentials for each system. SSO improves user experience by eliminating multiple login prompts while enhancing security through centralized authentication and stronger access controls. SSO implementations use protocols like SAML, OAuth, or OpenID Connect to establish trust between identity providers and service providers.

Enterprise SSO solutions integrate with identity providers like Okta, Azure AD, and Google Workspace.

Passkeys — cryptographic credentials stored on devices that enable passwordless authentication using biometrics or device PINs without traditional passwords. Built on FIDO2 and WebAuthn standards, passkeys use public-key cryptography where private keys remain securely on user devices while public keys are stored by services. Passkeys resist phishing since they're bound to specific websites and can't be tricked into authenticating malicious sites.

Major platforms (Apple, Google, Microsoft) support passkeys synchronized across devices through encrypted cloud storage. Passkeys provide stronger security than passwords while offering convenient authentication through fingerprint, facial recognition, or device unlock methods.

Passwordless authentication — an authentication method that eliminates traditional passwords, using alternative verification methods like biometrics, hardware security keys, magic links, or passkeys. Passwordless authentication addresses password-related vulnerabilities: weak passwords, reuse, phishing, and credential theft. Users authenticate through possession factors (security keys, mobile devices), biometric factors (fingerprint, facial recognition), or cryptographic keys stored securely on devices.

Passwordless solutions improve security by eliminating password databases as attack targets while enhancing user experience through faster, simpler login flows. Technologies enabling passwordless authentication include WebAuthn, FIDO2, passkeys, and biometric authentication integrated with modern operating systems and browsers.

Risk-based authentication — an authentication method that evaluates multiple risk factors during login attempts to determine appropriate authentication requirements and access decisions. Risk assessment considers user behavior, device fingerprinting, geolocation, IP reputation, time of access, requested resources, and historical patterns. High-risk scenarios trigger step-up authentication requiring additional verification factors, while low-risk logins proceed with standard authentication.

Risk-based authentication uses real-time threat intelligence and machine learning to identify suspicious activities like credential stuffing, impossible travel, or compromised devices.

Security token — a physical or digital device that generates or stores authentication credentials for verifying user identity. Hardware security tokens (like YubiKey or RSA SecurID) provide strong two-factor authentication through USB, NFC, or Bluetooth connections. Security tokens use cryptographic methods to generate one-time passwords or respond to authentication challenges. Software tokens exist as mobile apps generating time-based codes.

Security tokens offer phishing-resistant authentication since they cryptographically verify the requesting service. Organizations deploy security tokens for high-security environments, privileged access, compliance requirements, and protecting sensitive systems where strong authentication beyond passwords is essential.

TOTP (Time-based one-time password) — an algorithm generating temporary, single-use authentication codes that change every 30 seconds based on the current time and a shared secret key. TOTP provides strong two-factor authentication without requiring network connectivity since codes are generated locally on devices. Popular authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy implement TOTP for generating six-digit verification codes.

TOTP enhances security by ensuring authentication codes expire quickly and can't be reused. Organizations deploy TOTP as a secure, cost-effective multi-factor authentication method that doesn't rely on SMS or email delivery.

Two-factor authentication (2FA) — a security process requiring users to provide two different authentication factors to verify their identity. 2FA typically combines a password (knowledge factor) with a second factor like an SMS code, authenticator app token, or hardware key (possession factor). 2FA significantly enhances security beyond passwords alone by requiring attackers to compromise multiple independent factors.

Common 2FA implementations include TOTP authenticator apps (Google Authenticator, Authy), SMS verification codes, email confirmations, and hardware security keys.

WebAuthn (Web Authentication API) — a web standard enabling passwordless authentication using public-key cryptography, biometrics, and hardware security keys. Developed by W3C and FIDO Alliance, WebAuthn allows websites and applications to authenticate users through built-in device authenticators (fingerprint readers, facial recognition) or external security keys. WebAuthn creates unique cryptographic key pairs for each website, with private keys stored securely on devices and public keys registered with services.

WebAuthn authentication is phishing-resistant since credentials are cryptographically bound to specific domains. Modern browsers and platforms support WebAuthn, enabling passwordless login, strong second-factor authentication, and passkey implementations.