Glossary
2FA (Two-Factor Authentication)
Two-factor Authentication (2FA) is a security process in which a user provides two different authentication factors to verify their identity. The first factor is typically a password, while the second factor can be something the user knows (such as a security code), something the user has (such as a smart card or a mobile phone), or something the user is (such as a fingerprint or face recognition). The combination of these two factors provides an added layer of security compared to traditional single-factor authentication methods, such as passwords alone. This helps protect against unauthorized access to sensitive information or systems, and is widely used in financial transactions, online banking, and other applications where security is critical. By requiring a second factor of authentication, 2FA helps reduce the risk of password-based security breaches and provides a more secure way to access sensitive information and resources.
Also see MFA
AD (Active Directory)
Active Directory is a centralized database that provides authentication and authorization services for a Microsoft Windows-based network. It is a core component of Microsoft’s network operating system, and provides a single, secure repository for all user identities, computers, and applications. Active Directory enables administrators to manage network resources by organizing objects such as users, computers, and printers into logical units, known as domains. It also provides centralized administration and policy enforcement, as well as enabling single sign-on (SSO) for Windows-based applications and services. With its ability to integrate with other systems and applications, Active Directory is an essential component of many organizations’ IT infrastructures.
ADFS (Active Directory Federation Services)
Active Directory Federation Services (ADFS) is a Microsoft technology that enables secure and seamless single sign-on (SSO) across different systems and applications. ADFS acts as a trusted intermediary between organizations and their partners or customers, allowing them to authenticate and authorize access to resources using their existing credentials. This reduces the need for users to remember multiple usernames and passwords, simplifying the authentication process and improving user experience. ADFS uses industry-standard protocols such as Security Assertion Markup Language (SAML) and OAuth to provide secure and reliable identity federation. It is compatible with various platforms and applications, including web-based and cloud-based solutions. ADFS also supports multi-factor authentication (MFA) and conditional access policies to provide additional layers of security. Overall, ADFS helps organizations streamline their authentication and authorization processes and improve their security posture.
AES192 Ecryption
AES192 encryption refers to the Advanced Encryption Standard using a 192-bit key, part of a symmetric key algorithm that secures data in 128-bit blocks. It employs multiple transformation rounds for encryption and decryption, providing a robust security level for digital communications and data protection across various IT applications.
Asymmetric Encryption
Asymmetric encryption is a cryptographic technique that uses a pair of keys – public and private keys – to encrypt and decrypt data. The public key is used to encrypt the data, while the private key is used to decrypt it. Asymmetric encryption provides a more secure communication method than symmetric encryption, as it eliminates the need for the parties to share a secret key.
Brute Force Attacks
Brute force attacks are a type of cybersecurity threat in which attackers systematically attempt every possible combination of characters to gain access to a system or an account. This method is often used to crack weak passwords by repeatedly trying different password combinations until the correct one is found, highlighting the importance of strong and complex passwords.
This rudimentary yet effective method poses a significant risk to digital security. Attackers use automated tools to test thousands of password combinations, targeting both personal and corporate accounts.
Certificate (aka Digital Certificate or Public Key Certificate)
A digital certificate is a secure electronic document that is used to authenticate the identity of individuals, devices, or websites. It contains identifying information about the certificate holder, including their public key and other details, and is issued by a trusted third-party organization known as a certificate authority. Digital certificates are commonly used in secure communication protocols such as SSL/TLS to ensure the authenticity and integrity of transmitted data.
Certificates use a cryptographic system that involves two keys – a public key and a private key – to encrypt and protect sensitive information from unauthorized access. Public key certificates are crucial to online security, reducing the risk of phishing attacks and other online scams. Obtaining a public key certificate from a trusted Certificate Authority (CA) is essential for compliance with data protection regulations and building trust with customers.
Certificate Authority
A certificate authority (CA) is a trusted third-party organization that issues digital certificates to validate the identity of individuals, devices, or websites. A CA verifies the identity of the requester before issuing a digital certificate, which contains the requester’s public key and other identifying information. This certificate can be used by the requester to establish secure communication with other parties.
Credential Stuffing Attacks
Credential stuffing attacks are a type of cyberattack where malicious actors use stolen username and password combinations, typically obtained from data breaches on other websites, to gain unauthorized access to user accounts on a target platform.
These attacks exploit the common practice of reusing passwords across multiple online services. Attackers automate the process, testing thousands of credential combinations across various websites. The consequences range from identity theft to financial fraud.
Cybersecurity
Cybersecurity is a field that focuses on defending computer systems, networks, and digital information from unauthorized access, attacks, and vulnerabilities. It aims to maintain the privacy (confidentiality), accuracy (integrity), and accessibility (availability) of data and systems while preventing cyber threats like hacking, malware, and unauthorized access.
Defense in Depth
Defense in Depth (DiD) is a cybersecurity strategy that employs a series of defensive mechanisms to protect data and information systems, akin to the layered defenses of a medieval castle. This approach is based on the military principle that it’s more difficult for an attacker to breach multiple layers of defense.
In the context of cybersecurity, DiD involves layering various security measures and controls across the different components of an organization’s IT infrastructure, including physical security, network security, computer security, application security, and data security. The analogy with a castle highlights the effectiveness of multiple layers of defense; just as a castle has outer walls, a moat, inner walls, and a keep to protect its inhabitants, DiD uses multiple security layers to ensure that if one layer is breached, others are still in place to thwart an attack.
This redundancy ensures that even if a security control fails or a vulnerability is exploited, other layers of defense will continue to protect the system, mirroring the comprehensive protection strategy of a well-fortified castle.
Federation (Federated Identity Management)
Federated identity is a set of technologies and standards that enable users to access multiple systems and services with a single set of credentials. Rather than requiring users to remember and manage multiple usernames and passwords, federated identity allows users to authenticate once and gain access to all the systems and services that have been enabled for federated identity.
FIDO2 (Fast Identity Online 2)
A set of open authentication standards that aim to reduce reliance on passwords by enabling users to authenticate using biometric data, such as fingerprints or facial recognition. FIDO2 aims to improve security and user experience by providing a simpler and more secure authentication method.
IAM (Identity & Access Management)
Identity and Access Management (IAM), aka Identity Management is the practice of controlling access to digital resources by defining who is and is not allowed to access them. This includes processes for authentication (verifying the identity of a user), authorization (determining what resources a user is allowed to access), access management (providing access to the user), and audit and compliance (verifying that access controls are working as intended).
IGA (Identity Governance and Administration)
Identity Governance and Administration (IGA) is a framework for managing and securing digital identities and access privileges within an organization. It involves defining and enforcing policies and procedures for creating, maintaining, and revoking user access rights, as well as monitoring and reporting on access activity.
IGA systems typically include features for identity lifecycle management, access request and approval workflows, role-based access control, and audit trails.
By centralizing identity and access management functions, IGA helps organizations to ensure compliance with regulatory requirements, mitigate security risks, and improve operational efficiency.
LDAP (Lightweight Directory Access Protocol)
LDAP, or Lightweight Directory Access Protocol, is a widely-used, open standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP is used by many organizations as a centralized repository for storing and managing user, group, and resource information, making it a critical component of modern network infrastructure.
mOTP (Mobile One Time Password)
mOTP (Mobile One Time Password): An OTP that is generated and sent to a user’s mobile device via SMS or a mobile app. mOTPs are widely used in two-factor authentication to provide an additional layer of security.
Also see OTP
MFA (Multi-Factor Authentication)
MFA (Multi-Factor Authentication) is a security process that requires multiple methods of authentication from independent categories of authentication methods to verify a user’s identity. This helps to ensure that the person accessing a device, service or application is who they claim to be. MFA can include combinations of something the user knows (such as a password or PIN), something the user has (such as a smart card or security token), or something the user is (such as a biometric factor like a fingerprint). Implementing MFA can greatly reduce the risk of unauthorized access and data breaches.
NAC (Network Access Control)
Network Access Control (NAC) allows to controls access to network resources, by enforcing policies that determine the level of access granted to users and devices attempting to connect to the network. NAC systems typically utilize a combination of authentication, authorization, and compliance verification to ensure that only authorized and secure devices and users are allowed to access the network. By implementing NAC, organizations can reduce the risk of network attacks, prevent unauthorized access to sensitive data, and improve overall network security posture.
OAuth (Open Authorization)
OAuth (Open Authorization) is an open standard protocol used for secure authorization and access delegation, typically for web-based applications. OAuth enables users to grant access to their resources or data stored on one website or application, to another website or application, without sharing their login credentials.
OAuth provides a way to securely transfer authorization information between a resource owner, a resource server, and a client application. OAuth messages are signed and encrypted, providing an additional layer of security.
OAuth is widely used in modern identity and access management (IAM) solutions, and is supported by many popular web-based applications and platforms.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol, used for secure user authentication and authorization. OIDC enables the authentication of end-users against an identity provider (IdP) and the sharing of identity information between different systems.
OIDC allows users to authenticate with a single set of credentials across multiple applications and services, reducing the need for multiple usernames and passwords. OIDC messages are signed and encrypted, providing an additional layer of security.
OIDC provides a standard way to authenticate users across different applications and platforms, and is supported by many popular identity and access management (IAM) solutions.
OTP (One Time Password)
One-Time Password (OTP) is a security mechanism that generates a unique password for each authentication attempt. The OTP is typically valid for a single login session or transaction and is rendered useless thereafter, making it a highly secure form of authentication. OTP is commonly used as a second factor of authentication alongside a primary password or username, and can be delivered via various means such as SMS, email, or a dedicated OTP token. Using OTPs helps mitigate the risk of password-based attacks such as phishing, keylogging, and brute-force attacks, and therefor making it a widely adopted solution for enhancing the security of online services and transactions.
Passkeys
Passkeys are cryptographic keys or codes used for authentication and access control in security systems. Passkeys can take various forms, including traditional alphanumeric passwords, biometric data, or secure tokens.
Passkeys are an innovative password-free authentication method, enhancing online security and user experience. By utilizing elements like Face ID, Touch ID, or device passcodes, passkeys offer a secure and convenient alternative to traditional passwords. They are increasingly supported by major websites and platforms, promising improved security against common cyber threats.
Passwordless Authentication
Passwordless authentication is an innovative approach to user login that eliminates the need for traditional passwords. Instead, it relies on more secure methods such as biometrics (fingerprint or facial recognition), smart cards, or one-time codes sent to mobile devices to verify a user’s identity. Passwordless authentication enhances security by reducing the risk associated with password-related vulnerabilities.
Presence-based Logical Access
Presence-based Logical Access is a type of logical access control that uses the physical presence of an individual to grant or deny access to a computer or network resource. This can be done through a variety of means, such as proximity sensors or location-based services. For example, an employee’s smartphone could be used to confirm their physical presence in the office before granting access to certain files or applications. This type of access control is often used to enhance security in high-risk environments or to enforce compliance with strict regulatory requirements.
Phishing Attack
Phishing attacks are deceptive and fraudulent attempts to trick individuals into divulging sensitive information, such as usernames, passwords, credit card details, or personal data.
Typically, phishing attacks are carried out through fake emails, websites, or messages that impersonate legitimate sources, luring victims into unwittingly providing their confidential information. Awareness and education are key to combating phishing.
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is a set of technologies, policies, and procedures that are used to create and manage Digital Certificates. PKI enables secure online communication by providing a system for securely exchanging and verifying Public Keys.
PKI is based on a system of Digital Certificates that provide authentication and encryption services. The Certificates are issued by a trusted third party, known as a Certificate Authority (CA), which is responsible for verifying the identity of the Certificate holder.
PSD2 (Payment Services Directive 2)
A regulatory framework that governs electronic payments within the European Union. PSD2 aims to increase the security of online transactions and promote competition within the payment industry by requiring banks to allow third-party payment providers access to customer data.
Public Key / Private Key
Public key and private key are a pair of cryptographic keys that are used in encryption algorithms to secure data. The public key is available to anyone and is used to encrypt data, while the private key is kept secret and is used to decrypt data. Asymmetric encryption enables secure communication over public networks by allowing parties to securely exchange data without sharing their private keys.
Radius Bridge
RCDevs RADIUS Bridge provides the RADIUS RFC-2864 API for your OpenOTP Server. It allows to integrate a large variety of third-party products and systems like Microsoft reverse-proxies, VPNs, Citrix or VMWare with Multi-Factor Authentication.
Radius Protocol
RADIUS (Remote Authentication Dial-In User Service) is a widely adopted networking protocol that provides centralized authentication, authorization, and accounting (AAA) services for users who connect to and use a network service. RADIUS is used to manage access to network resources, provides strong security, centralized management, scalability, and compatibility.
RSA Encryption
RSA encryption is a widely-used public key cryptosystem, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman.
It involves the use of two keys, a public key and a private key, to encrypt and decrypt messages. The public key is freely distributed and can be used to encrypt messages that only the corresponding private key can decrypt. The private key is kept secret by the owner and is used to decrypt messages that have been encrypted with the corresponding public key.
RSA encryption is based on the mathematical properties of large prime numbers, and is considered to be highly secure if the keys are generated and used properly. It is commonly used in digital communications, such as secure email and online transactions, as well as in digital signatures and key exchange protocols.
SAML (Security Assertion Markup Language)
Security Assertion Markup Language (SAML) is an XML-based standard used for exchanging authentication and authorization data between different security domains, typically across web-based applications. SAML enables single sign-on (SSO) and allows users to access multiple applications with a single set of login credentials.
SAML provides a way to securely transfer authentication and authorization information between an identity provider (IdP) and a service provider (SP), such as a web application. SAML messages are signed and encrypted, providing an additional layer of security.
SAML is widely used in enterprise environments and is supported by many web-based applications and platforms, including popular identity and access management (IAM) solutions.
Single Sign-On (SSO)
Single Sign-On (SSO) is a technical authentication process that allows users to access multiple applications or services using a single set of login credentials. SSO works by securely storing and sharing user authentication data across multiple systems, eliminating the need for users to remember and manage multiple usernames and passwords.
By using SSO, organizations can enhance security by centralizing access control, reducing the risk of password-related security breaches, and simplifying user management. SSO can be implemented using various technologies, including SAML, OAuth, and OpenID Connect.
Strong Authentication
Strong authentication acts as a potent deterrent against unauthorized access attempts and data breaches. It requires users to provide evidence beyond mere passwords, incorporating elements such as biometric data (e.g., fingerprints, facial recognition), cryptographic keys, smartcards, and one-time passwords (OTP) generated through secure apps or hardware tokens. By integrating these factors, strong authentication mitigates risks associated with weak passwords, social engineering, and phishing attacks, thereby safeguarding digital assets from sophisticated cyber threats.
TOTP (Time-based One Time Password)
TOTP (Time-based One Time Password): An OTP that is generated by a token or mobile app and is valid for a fixed period of time, usually 30 seconds. TOTPs are widely used in two-factor authentication to provide an additional layer of security.
Also see OTP
Voice Biometrics Authentication (aka Voice Authentication, Voice Recognition, Voiceprint Recognition)
Voice biometrics authentication is a technology that uses a person’s voice as a unique identifier to grant or deny access to secure systems, applications, and information. Voice biometrics, also known as voiceprint recognition, is a form of biometric authentication that verifies the identity of an individual based on the unique characteristics of their voice.
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is a secure network connection that allows users to access resources and communicate with others over the internet as if they were on a private network. VPNs use encryption and tunneling protocols to create a secure connection between the user’s device and a VPN server, which encrypts the data sent between the two endpoints. This technology is commonly used to protect online privacy, bypass geo-restrictions, and improve security when using public Wi-Fi networks.
Zero Trust (Zero Trust Security Model)
The zero trust security model operates under the principle of “never trust, always verify”. This concept requires that devices are not automatically trusted, even if they are connected to a permissioned network or were previously verified. To implement zero trust network access (ZTNA), organizations must establish strong identity verification, validate device compliance before granting access, and ensure that only explicitly authorized resources are accessed. Traditional security models that rely on trusting devices within a corporate perimeter or via a VPN are not effective in the complex modern corporate network landscape. Zero trust advocates mutual authentication, device identity and integrity checks, and access to applications and services based on user authentication and device health.
