• English
    • Français
    • Deutsch
    • 日本語
    • Español
    • Svenska
  • Contact sales
  • Reseller locator
  • English English English en
  • Français Français French fr
  • Deutsch Deutsch German de
  • 日本語 日本語 Japanese ja
  • Español Español Spanish es
  • Svenska Svenska Swedish sv
Yubico
  • Why Yubico
    • For business
    • For individuals
    • For developers
  • Products
    • YubiKeys
    • YubiHSM
    • YubiEnterprise services
    • Services & software
    • Works with YubiKey
    • Find the right YubiKey
  • Solutions
    • Use Cases
      • Remote Workers
      • Passwordless
      • Microsoft 365
      • MFA modernization
      • Account takeovers
      • Compliance
      • Privileged users
      • Mobile restricted environments
      • Call centers
      • Secure password managers
    • Industries
      • Technology
      • Financial services
      • Cryptocurrency
      • Retail
      • Federal Government
      • State and Local Government
      • Elections and Political Campaigns
      • Education
      • Healthcare
  • Resources
    • Getting Started
    • COVID-19 Resources
    • White papers
    • Webinars
    • Product briefs
    • Case studies
    • Infographics
    • Yubico blog
    • Authentication standards
    • Videos
    • Developer program
    • Cybersecurity Glossary
  • Company
    • About us
    • The team
    • Innovation history
    • Careers & culture
    • Press room
    • Contact us
    • Partners
    • Events
    • Our customers
    • Free Speech program
    • Affiliate program
  • Support
    • Support services
    • Professional Services
    • Set up your YubiKey
    • Help
    • Documentation
    • Downloads
    • Buying and shipping
    • Security advisories
  • 
      • X
        Quick Links
        Find the Right YubiKey Set Up Your YubiKey Contact Us
        Knowledge Base
      • Search Yubico
  • Search
Store

Cybersecurity Glossary

Learn about the key words, acronyms, and other technical terms used in the security industry to stay informed.

A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z

A

Authenticator

An authenticator is used to confirm the identity of a user and can be something you know, something you have, or something you are. In the case of digital authentication, a person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator.

Authenticator App

An authenticator app adds a layer of security for online accounts by generating 2-step verification codes on a mobile or desktop device.


Learn More

Authentication Assurance

The U.S. National Institute of Standards and Technologies (NIST) SP 800-63B recommends that for services where user authentication is required, they must authenticate using methods that provide the highest level of assurance. The robustness of this confidence is described by an AAL categorization.


Learn More

Authentication Assurance Level 3 (AAL3)

Authentication Assurance relies on examination of the cryptographic modules of an authenticator. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. The YubiKey FIPS Series meets Level 3 requirements (AAL3) which means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.


Learn More

B

Back to top

Biometrics

Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices or data. Examples of these biometric identifiers are fingerprints, facial patterns, voice or typing cadence.


Learn More

Built-in Authenticator

A built-in authenticator (also referred to as a platform authenticator) is built into a particular client device platform, that is, it is implemented on device. An example would be biometrics capabilities that now ship with modern devices.

Brute Force Attack

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.


Learn More

C

Back to top

Credential Stuffing

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.


Learn More

Cross-Platform

In computing, cross-platform (also multi-platform) refers to different computing platforms (Windows, iOS, Android, macOS, Linux) or even device types (desktops, mobile).


Learn More

CTAP

Developed by the FIDO Alliance, the Client to Authenticator Protocol enables communication between an external authenticator (i.e. mobile phones, connected devices) and another client (e.g. browser) or platform (re: operating system).


Learn More

D

Back to top

Data Breach

A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Approximately 81% of data breaches are caused by stolen credentials such as passwords.


Learn More

DFARS

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that the Department of Defense (DoD) now imposes on external contractors and suppliers.


Learn More

DNS Spoofing

Domain Name Server (DNS) spoofing (or DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination. The difference between “spoofing” and “phishing” is that the former downloads malware to your computer or network, and the latter tricks you into giving up sensitive financial information to a cyber crook. Phishing is a method of retrieval, while spoofing is a means of delivery.

Learn More

E

Back to top

External Authenticator

An external authenticator (also known as a roaming authenticator) is a cross-platform authenticator that is portable. An example would be a hardware security key.

eID

Electronic Identification (eID) is a way to secure a person’s identity to access online services in the European Union.


Learn More

eIDAS

The Electronic Identification, Authentication and Trust Services (eIDAS) is a regulation in the European Union used to help people and businesses use their eID’s to access public services in other EU countries.


Learn More

F

Back to top

FedRAMP

The FedRAMP Program Management Office (PMO) mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.

FIDO Alliance

The FIDO Alliance is an open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. Yubico has pioneered the development of authentication standards that the FIDO Alliance has adopted.


Learn More

FIDO CTAP 1

The Client to Authenticator Protocol (CTAP) enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform (such as a computer). The CTAP specification refers to two protocol versions, the CTAP1/U2F protocol and the CTAP2 protocol.

FIDO CTAP 2

An authenticator that implements CTAP2 is called a FIDO2 authenticator (also called a WebAuthn authenticator). If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F. A YubiKey 5 Series security key can support both CTAP 1 and CTAP 2 which means it can support both U2F and FIDO2 and deliver strong single factor (passwordless), strong two-factor and strong multi-factor authentication.

FIDO Universal 2nd Factor (U2F)

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.


Learn More

FIDO U2F Certified

FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO U2F-certified device, such as a YubiKey, has gone through a full FIDO certification program and successfully meets all requirements.

FIDO2

FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.


Learn More

FIDO2 Certified

FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO2-certified device, such as a YubiKey 5 Series security key, has gone through a full FIDO certification program and successfully meets all requirements


Learn More

FIPS 140-2

The Federal Information Processing Standard Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. It is published by the U.S. National Institute of Standards and Technologies (NIST) and is a security standard recognized by the U.S. and Canadian governments, as well as the European Union. It is often a specification that a security solution needs to meet for some of the more security-conscious organizations globally.


Learn More

FIPS 140-2 Certified/Validated

To be FIPS 140-2 certified or validated, the software (and hardware) must be independently validated by one of 13 NIST specified laboratories, this process can take weeks. The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. The YubiKey FIPS Series meets Level 3 requirements (AAL3) which means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.


Learn More

G

Back to top

GDPR

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas


Learn More

H

Back to top

Hardware Authenticator or Token

A Hardware Authenticator is a physical object that verifies the user’s identity as they log into a system. The user needs to prove that they are in physical possession of the authenticator by plugging the device into the workstation, or mobile phone using a USB or NFC communication method.

HSM

An HSM is a hardware security module that delivers enhanced protection for cryptographic keys, securing modern infrastructures. It can securely generate, store and manage digital keys.


Learn More

I

Back to top

IAM

Identity management, also known as identity and access management, is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to the right technology resources, based on their roles and privileges in the organization.


Learn More

IDP

An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals, such as individuals, computers or services, while providing authentication services to relying applications within a federation or distributed network.

IP Spoofing

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol packets with a false source IP address, for the purpose of impersonating another computing system or website.


Learn More

M

Back to top

Man-in-the-Middle (MiTM) Attacks

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.


Learn More

O

Back to top

OATH - TOTP (Time)

OATH is an organization that specifies two open authentication standards: TOTP and HOTP. To authenticate using TOTP, the user enters a 6-8 digit code that changes every 30 seconds. The code is generated using HMAC(sharedSecret, timestamp), where the timestamp changes every 30 seconds. The shared secret is often provisioned as a QR-code or preprogrammed into a hardware security key.


Learn More

OATH - HOTP (Event)

HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP devices require no clock. However, HOTP is susceptible to losing counter sync. That is, if the user generates an OTP without authenticating with it, the device counter will no longer match the server counter. This can be mitigated on the server by testing several subsequent counter values. This can not happen with Yubico OTP since its counter is encrypted (as opposed to hashed).


Learn More

One-Time Password (OTP)

A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The NIST organization has recently deprecated SMS as a weak form of 2FA and encourages other approaches for strong 2FA.


Learn More

OpenPGP

OpenPGP is the most widely used email encryption standard. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) as a Proposed Standard.


Learn More

P

Back to top

Passwordless

Passwordless refers to passwordless authentication or login which represents a massive shift in how billions of users, both business and consumer, will securely log in to their critical resources and systems. The user can simply authenticate using a passwordless device, such as a FIDO2-based hardware security key to verify their credential with the application or system.


Learn More

PGP

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

Phishing

Phishing is the art of tricking people into revealing personal information. Usernames, passwords, and credit card numbers are often targeted for phishing attacks, with the intent of taking over user accounts. 59% of phishing attacks are financially motivated.


Learn More

PIV

A Personal Identity Verification (PIV) credential is a US Federal governmentwide credential used to access Federally controlled facilities and information systems at the appropriate security level.

Platform

A computing platform or digital platform is the environment in which a piece of software is executed. It may be the hardware or the operating system (OS), even a web browser and associated application programming interfaces, or other underlying software, as long as the program code is executed with it.

Platform Authenticator

A platform authenticator is built into a particular client device platform, that is, it is implemented on device. An example would be biometrics capabilities that now ship with modern devices.

Public Key Cryptography

Public key encryption, or public key cryptography, is a method of encrypting data with two different keys and making one of the keys, the public key, available for anyone to use. The other key is known as the private key. A hardware security key offers the strongest protection for private keys as it is stored in the secure element and cannot be exfiltrated, or gained via a remote attack.

PSD2

The Revised Payment Services Directive is an EU Directive, administered by the European Commission to regulate payment services and payment service providers throughout the European Union and European Economic Area.

R

Back to top

Root of Trust

A root of trust is an external hardware authenticator that can be used with any computer or mobile device to identify that the person accessing an account is the rightful owner.


Learn More

Roaming Authenticator

A roaming authenticator is a cross-platform authenticator that is portable. An example would be a hardware security key.

S

Back to top

Security Key

A security key is a single purpose hardware device for authentication which is controlled by an end user. The security key enables FIDO authentication across platforms, browsers and applications.


Learn More

Secure Static Password

A static password requires no back-end server integration, and works with most legacy username/password solutions. Using the YubiKey Personalization tool a YubiKey can store a user-provided password on the hardware device that never changes. Please note that a static password does not provide the same high level of security as one-time passwords.


Learn More

Smart Card

A smart card is a physical card that has an embedded integrated chip that acts as a security token. Smart cards are typically the same size as a driver's license or credit card and can be made out of metal or plastic. Hardware security keys can also act as a smart card with simplified deployment.


Learn More

Software Authenticator or Token

A software-based authenticator may be implemented on a general-purpose electronic device such as a laptop, a tablet computer, or a smartphone. For example, a software-based authenticator can be implemented as an authenticator app on a mobile device.

Strong Two Factor Authentication (2FA)

Two-factor authentication (also known as 2FA or two-step verification) is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. Factors used for 2FA include something that you know (e.g. password or PIN), or something that you have (e.g. a security key or phone) or something that you are (e.g. facial recognition).


Learn More

Strong Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) can greatly enhance security while delivering a positive user experience. MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence, or factors, to an authentication mechanism. Hardware security keys offer strong MFA because the credential secrets are stored securely on the hardware key and cannot be exfiltrated. Other forms of MFA, while offering stronger security than a password, cannot offer the same level of iron-clad protection as a security key.


Learn More

W

Back to top

WebAuthn

WebAuthn is a new W3C global standard for secure authentication on the Web supported by all leading browsers and platforms. WebAuthn makes it easy to offer users a choice of authenticators to protect their accounts, including external/portable authenticators such as hardware security keys, and built-in platform authenticators, such as biometric sensors


Learn More

W3C

The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. The W3C is made up of member organizations that work together in the development of standards for the World Wide Web, with web security being a core aspect of the standards work. The WebAuthn standard is the result of W3C security leadership with a desired outcome of standardizing web security across leading browsers, platforms and services.


Learn More

Y

Back to top

YubiKey

The industry's #1 security key, enabling strong two-factor, multi-factor and passwordless authentication.


Learn More

Yubico OTP

Yubico OTP is a simple yet strong authentication mechanism that is supported by the YubiKey 5 Series and YubiKey FIPS Series out-of-the-box. Yubico OTP can be used as the second factor in a 2-factor authentication scheme or on its own providing strong single factor authentication.


Learn More

Find
Take product finder quiz

Set up
Find set-up guides

Buy
Buy online
Contact sales
Find resellers

Stay connected
Sign up for email

RSS FeedTwitterLinkedInFacebookInstagramYoutubeGithub

Products
YubiKeys
YubiHSM
YubiEnterprise services
Services & software
Works with YubiKey
Find the right YubiKey

Why Yubico

For personal use
For businesses
For developers
Solutions
Remote Workers
Passwordless
Microsoft 365
Call centers
Cryptocurrency
Financial services
Federal Government
State & Local Government
More…
Resources
Getting Started
COVID-19 Resources
White papers
Webinars
Case studies
Product briefs
Infographics
Yubico blog
Authentication standards
Videos
Developer program
Company
About us
Trust in Yubico
The team
Innovation history
Careers & culture
Press room
Contact us
Partners
Events
Our customers
Affiliate program
Support
Support services
Professional Services
Set up your YubiKey
Knowledge base
Documentation
Downloads
Security advisories

Cookies Legal Trust Privacy Terms of Use

Yubico © 2021. All Rights Reserved.

We use cookies to ensure that you get the best experience on our site and to present relevant content and advertising. By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice.
Accept Settings
Yubico Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Uncategorized

Undefined cookies are those that are being analyzed and have not been classified into a category as yet.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Preferences

Preference cookies are used to store user preferences to provide content that is customized and convenient for the users, like the language of the website or the location of the visitor.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Save & Accept
Scroll to top