Learn about the key words, acronyms, and other technical terms used in the security industry.
Account takeover (often abbreviated ATO) describes the scenario where a cybercriminal or organization uses stolen or compromised credentials to gain fraudulent access to an account, and then exploits the privileges granted or associated to said account. All manner of account types may be viable targets, including but not limited to email, banking, online shopping and even corporate or employee accounts.
An authenticator is used to confirm the identity of a user and can be something you know, something you have, or something you are. In the case of digital authentication, a person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator.
An authenticator app adds a layer of security for online accounts by generating 2-step verification codes on a mobile or desktop device.
The U.S. National Institute of Standards and Technologies (NIST) SP 800-63B recommends that for services where user authentication is required, they must authenticate using methods that provide the highest level of assurance. The robustness of this confidence is described by an AAL categorization.
Authentication Assurance relies on examination of the cryptographic modules of an authenticator. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. The YubiKey FIPS Series meets Level 3 requirements (AAL3) which means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.
Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices or data. Examples of these biometric identifiers are fingerprints, facial patterns, voice or typing cadence.
A built-in authenticator (also referred to as a platform authenticator) is built into a particular client device platform, that is, it is implemented on device. An example would be biometrics capabilities that now ship with modern devices.
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Certificate-based authentication is a cryptographic technique that enables computers to use documents called public-key certificates, to securely identify each other across a network.
Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
Developed by the FIDO Alliance, the Client to Authenticator Protocol enables communication between an external authenticator (i.e. mobile phones, connected devices) and another client (e.g. browser) or platform (re: operating system).
A cyber attack is an online attack targeting an enterprise or individual for the purpose of disrupting, disabling, destroying, or maliciously controlling their computing infrastructure; destroying the integrity of their data; or stealing controlled information.
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Approximately 81% of data breaches are caused by stolen credentials such as passwords.
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that the Department of Defense (DoD) now imposes on external contractors and suppliers.
Domain Name Server (DNS) spoofing (or DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination. The difference between “spoofing” and “phishing” is that the former downloads malware to your computer or network, and the latter tricks you into giving up sensitive financial information to a cyber crook. Phishing is a method of retrieval, while spoofing is a means of delivery.
Executive Order 14028 is a cybersecurity order issued by President Biden requiring agencies to improve and standardize defenses of their digital systems. The EO spawned a number of policy changes to improve software supply chain security, mandate Zero Trust cybersecurity principles, and phishing-resistant MFA. The recent frequency of widespread and invasive cyber attacks has prompted the government to take action.
An external authenticator (also known as a roaming authenticator) is a cross-platform authenticator that is portable. An example would be a hardware security key.
Electronic Identification (eID) is a way to secure a person’s identity to access online services in the European Union.
The Electronic Identification, Authentication and Trust Services (eIDAS) is a regulation in the European Union used to help people and businesses use their eID’s to access public services in other EU countries.
The FedRAMP Program Management Office (PMO) mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
The FIDO Alliance is an open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. Yubico has pioneered the development of authentication standards that the FIDO Alliance has adopted.
FIDO CTAP 1
The Client to Authenticator Protocol (CTAP) enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform (such as a computer). The CTAP specification refers to two protocol versions, the CTAP1/U2F protocol and the CTAP2 protocol.
FIDO CTAP 2
An authenticator that implements CTAP2 is called a FIDO2 authenticator (also called a WebAuthn authenticator). If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F. A YubiKey 5 Series security key can support both CTAP 1 and CTAP 2 which means it can support both U2F and FIDO2 and deliver strong single factor (passwordless), strong two-factor and strong multi-factor authentication.
U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.
FIDO U2F Certified
FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO U2F-certified device, such as a YubiKey, has gone through a full FIDO certification program and successfully meets all requirements.
FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.
FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO2-certified device, such as a YubiKey 5 Series security key, has gone through a full FIDO certification program and successfully meets all requirements
The Federal Information Processing Standard Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. It is published by the U.S. National Institute of Standards and Technologies (NIST) and is a security standard recognized by the U.S. and Canadian governments, as well as the European Union. It is often a specification that a security solution needs to meet for some of the more security-conscious organizations globally.
To be FIPS 140-2 certified or validated, the software (and hardware) must be independently validated by one of 13 NIST specified laboratories, this process can take weeks. The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. The YubiKey FIPS Series meets Level 3 requirements (AAL3) which means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas
Hardware Authenticator or Token
A Hardware Authenticator is a physical object that verifies the user’s identity as they log into a system. The user needs to prove that they are in physical possession of the authenticator by plugging the device into the workstation, or mobile phone using a USB or NFC communication method.
An HSM is a hardware security module that delivers enhanced protection for cryptographic keys, securing modern infrastructures. It can securely generate, store and manage digital keys.
Identity management, also known as identity and access management, is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to the right technology resources, based on their roles and privileges in the organization.
An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals, such as individuals, computers or services, while providing authentication services to relying applications within a federation or distributed network.
In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol packets with a false source IP address, for the purpose of impersonating another computing system or website.
Malware is the collective term for a variety of software-based attacks with malicious intent, including ransomware, viruses, and spyware. Typically delivered in the form of a file or link over email or text that requires user action to execute, malware is usually code developed by cyberattackers, designed to gain unauthorized access to a network or to cause extensive damage to data and systems.
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
Multi-factor authentication (MFA) can greatly enhance security while delivering a positive user experience. MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence, or factors, to an authentication mechanism. Hardware security keys offer strong MFA because the credential secrets are stored securely on the hardware key and cannot be exfiltrated. Other forms of MFA, while offering stronger security than a password, cannot offer the same level of iron-clad protection as a security key.
OATH is an organization that specifies two open authentication standards: TOTP and HOTP. To authenticate using TOTP, the user enters a 6-8 digit code that changes every 30 seconds. The code is generated using HMAC(sharedSecret, timestamp), where the timestamp changes every 30 seconds. The shared secret is often provisioned as a QR-code or preprogrammed into a hardware security key.
HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP devices require no clock. However, HOTP is susceptible to losing counter sync. That is, if the user generates an OTP without authenticating with it, the device counter will no longer match the server counter. This can be mitigated on the server by testing several subsequent counter values. This can not happen with Yubico OTP since its counter is encrypted (as opposed to hashed).
A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The NIST organization has recently deprecated SMS as a weak form of 2FA and encourages other approaches for strong 2FA.
OpenPGP is the most widely used email encryption standard. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) as a Proposed Standard.
Passkey is an amalgamation of the terms password and key, a simple but subtle way of highlighting its utility as an authentication mechanism as familiar and ubiquitous as the traditional password, but also conjuring the imagery of reliability associated with a sturdy lock that can only be opened by a physical key.
Passwordless refers to passwordless authentication or login which represents a massive shift in how billions of users, both business and consumer, will securely log in to their critical resources and systems. The user can simply authenticate using a passwordless device, such as a FIDO2-based hardware security key to verify their credential with the application or system.
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.
Phishing is the art of tricking people into revealing personal information. Usernames, passwords, and credit card numbers are often targeted for phishing attacks, with the intent of taking over user accounts. 59% of phishing attacks are financially motivated.
Phishing-resistant multi-factor authentication (MFA) refers to an authentication process that is immune to attackers intercepting or even tricking users into revealing access information. It requires each party to provide evidence of their identity, but also to communicate their intention to initiate through deliberate action.
A Personal Identity Verification (PIV) credential is a US Federal governmentwide credential used to access Federally controlled facilities and information systems at the appropriate security level.
A computing platform or digital platform is the environment in which a piece of software is executed. It may be the hardware or the operating system (OS), even a web browser and associated application programming interfaces, or other underlying software, as long as the program code is executed with it.
A platform authenticator is built into a particular client device platform, that is, it is implemented on device. An example would be biometrics capabilities that now ship with modern devices.
Privileged Access Management (PAM) is designed to define and safeguard identities with special access or capabilities beyond regular users. Specifically, a PAM system allows the organization more flexibility and control over these employees, vendors, partners, other users, and even applications, controlling how and when they have access to specific data and accounts.
Public Key Cryptography
Public key encryption, or public key cryptography, is a method of encrypting data with two different keys and making one of the keys, the public key, available for anyone to use. The other key is known as the private key. A hardware security key offers the strongest protection for private keys as it is stored in the secure element and cannot be exfiltrated, or gained via a remote attack.
The Revised Payment Services Directive is an EU Directive, administered by the European Commission to regulate payment services and payment service providers throughout the European Union and European Economic Area.
Ransomware is an evolving type of malware intended to encrypt data, systems, or files, rendering them unusable or inaccessible. Malicious actors may threaten to publish the sensitive data or demand ransom in exchange for decryption.
A root of trust is an external hardware authenticator that can be used with any computer or mobile device to identify that the person accessing an account is the rightful owner.
A roaming authenticator is a cross-platform authenticator that is portable. An example would be a hardware security key.
A security key is a single purpose hardware device for authentication which is controlled by an end user. The security key enables FIDO authentication across platforms, browsers and applications.
A static password requires no back-end server integration, and works with most legacy username/password solutions. Using the YubiKey Personalization tool a YubiKey can store a user-provided password on the hardware device that never changes. Please note that a static password does not provide the same high level of security as one-time passwords.
SIM swap fraud is an account takeover scam that targets a weakness in some forms of two-factor authentication in which a call or text message sent to a mobile telephone is the second factor or step. Also known as port-out scam, digital SIM swap, SIM splitting, and simjacking, the SIM swap scam exploits the ability of subscriber identity module (SIM) cards to be ported seamlessly by mobile phone service providers from device to device bearing different telephone numbers. Typically, carriers use this feature when customers buy new phones, switch service, lose their device, or experience theft.
A smart card is a physical card that has an embedded integrated chip that acts as a security token. Smart cards are typically the same size as a driver’s license or credit card and can be made out of metal or plastic. Hardware security keys can also act as a smart card with simplified deployment.
Software Authenticator or Token
A software-based authenticator may be implemented on a general-purpose electronic device such as a laptop, a tablet computer, or a smartphone. For example, a software-based authenticator can be implemented as an authenticator app on a mobile device.
Spear phishing is an electronic communications attack against specific individuals, groups, or businesses. Tactics used in spear phishing include, but are not limited to, phony e-mails, text messages, and phone calls. Oftentimes, people in higher-ranking positions will be targeted.
Two-factor authentication (also known as 2FA or two-step verification) is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. Factors used for 2FA include something that you know (e.g. password or PIN), or something that you have (e.g. a security key or phone) or something that you are (e.g. facial recognition).
2 Step Verification (Two step verification) is an authentication process requiring users to provide exactly two forms of validation before access is granted. The service provider will typically prompt for a username and password to initiate proceedings, before requesting users to provide a second validation to complete the ceremony.
Vishing, sometimes called cyber vishing, is a form of phishing that uses a traditional telephone or voice over internet protocol (VoIP) call with either an actual person talking, a text or other vishing tools. Like phishing, vishing is a type of cyber attack that uses any type of message that fraudulently represents itself as being from a trusted source with the goal of stealing information or money.
WebAuthn is a new W3C global standard for secure authentication on the Web supported by all leading browsers and platforms. WebAuthn makes it easy to offer users a choice of authenticators to protect their accounts, including external/portable authenticators such as hardware security keys, and built-in platform authenticators, such as biometric sensors
The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. The W3C is made up of member organizations that work together in the development of standards for the World Wide Web, with web security being a core aspect of the standards work. The WebAuthn standard is the result of W3C security leadership with a desired outcome of standardizing web security across leading browsers, platforms and services.
The industry’s #1 security key, enabling strong two-factor, multi-factor and passwordless authentication.
Yubico OTP is a simple yet strong authentication mechanism that is supported by the YubiKey 5 Series and YubiKey FIPS Series out-of-the-box. Yubico OTP can be used as the second factor in a 2-factor authentication scheme or on its own providing strong single factor authentication.
The zero trust approach is an IT security model that demands every person and device provide strict identity verification to access network resources, whether or not they are inside the network perimeters. Zero trust is a holistic network security approach that is technology agnostic. Thus there is no single specific technology associated with a zero trust architecture.