Learn about the key words, acronyms, and other technical terms used in the security industry to stay informed.
An authenticator is used to confirm the identity of a user and can be something you know, something you have, or something you are. In the case of digital authentication, a person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator.
The U.S. National Institute of Standards and Technologies (NIST) SP 800-63B recommends that for services where user authentication is required, they must authenticate using methods that provide the highest level of assurance. The robustness of this confidence is described by an AAL categorization.
Authentication Assurance Level 3 (AAL3)
Authentication Assurance relies on examination of the cryptographic modules of an authenticator. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. The YubiKey FIPS Series meets Level 3 requirements (AAL3) which means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.
Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices or data. Examples of these biometric identifiers are fingerprints, facial patterns, voice or typing cadence.
A built-in authenticator (also referred to as a platform authenticator) is built into a particular client device platform, that is, it is implemented on device. An example would be biometrics capabilities that now ship with modern devices.
Brute Force Attack
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
Developed by the FIDO Alliance, the Client to Authenticator Protocol enables communication between an external authenticator (i.e. mobile phones, connected devices) and another client (e.g. browser) or platform (re: operating system).
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Approximately 81% of data breaches are caused by stolen credentials such as passwords.
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that the Department of Defense (DoD) now imposes on external contractors and suppliers.
Domain Name Server (DNS) spoofing (or DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination. The difference between “spoofing” and “phishing” is that the former downloads malware to your computer or network, and the latter tricks you into giving up sensitive financial information to a cyber crook. Phishing is a method of retrieval, while spoofing is a means of delivery.
An external authenticator (also known as a roaming authenticator) is a cross-platform authenticator that is portable. An example would be a hardware security key.
The Electronic Identification, Authentication and Trust Services (eIDAS) is a regulation in the European Union used to help people and businesses use their eID’s to access public services in other EU countries.
The FedRAMP Program Management Office (PMO) mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
The FIDO Alliance is an open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. Yubico has pioneered the development of authentication standards that the FIDO Alliance has adopted.
FIDO CTAP 1
The Client to Authenticator Protocol (CTAP) enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform (such as a computer). The CTAP specification refers to two protocol versions, the CTAP1/U2F protocol and the CTAP2 protocol.
FIDO CTAP 2
An authenticator that implements CTAP2 is called a FIDO2 authenticator (also called a WebAuthn authenticator). If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F. A YubiKey 5 Series security key can support both CTAP 1 and CTAP 2 which means it can support both U2F and FIDO2 and deliver strong single factor (passwordless), strong two-factor and strong multi-factor authentication.
FIDO Universal 2nd Factor (U2F)
U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.
FIDO U2F Certified
FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO U2F-certified device, such as a YubiKey, has gone through a full FIDO certification program and successfully meets all requirements.
FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.
FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO2-certified device, such as a YubiKey 5 Series security key, has gone through a full FIDO certification program and successfully meets all requirements
The Federal Information Processing Standard Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. It is published by the U.S. National Institute of Standards and Technologies (NIST) and is a security standard recognized by the U.S. and Canadian governments, as well as the European Union. It is often a specification that a security solution needs to meet for some of the more security-conscious organizations globally.
FIPS 140-2 Certified/Validated
To be FIPS 140-2 certified or validated, the software (and hardware) must be independently validated by one of 13 NIST specified laboratories, this process can take weeks. The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. The YubiKey FIPS Series meets Level 3 requirements (AAL3) which means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas
Hardware Authenticator or Token
A Hardware Authenticator is a physical object that verifies the user’s identity as they log into a system. The user needs to prove that they are in physical possession of the authenticator by plugging the device into the workstation, or mobile phone using a USB or NFC communication method.
Identity management, also known as identity and access management, is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to the right technology resources, based on their roles and privileges in the organization.
An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals, such as individuals, computers or services, while providing authentication services to relying applications within a federation or distributed network.
In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol packets with a false source IP address, for the purpose of impersonating another computing system or website.
Man-in-the-Middle (MiTM) Attacks
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
OATH - TOTP (Time)
OATH is an organization that specifies two open authentication standards: TOTP and HOTP. To authenticate using TOTP, the user enters a 6-8 digit code that changes every 30 seconds. The code is generated using HMAC(sharedSecret, timestamp), where the timestamp changes every 30 seconds. The shared secret is often provisioned as a QR-code or preprogrammed into a hardware security key.
OATH - HOTP (Event)
HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP devices require no clock. However, HOTP is susceptible to losing counter sync. That is, if the user generates an OTP without authenticating with it, the device counter will no longer match the server counter. This can be mitigated on the server by testing several subsequent counter values. This can not happen with Yubico OTP since its counter is encrypted (as opposed to hashed).
One-Time Password (OTP)
A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The NIST organization has recently deprecated SMS as a weak form of 2FA and encourages other approaches for strong 2FA.
Passwordless refers to passwordless authentication or login which represents a massive shift in how billions of users, both business and consumer, will securely log in to their critical resources and systems. The user can simply authenticate using a passwordless device, such as a FIDO2-based hardware security key to verify their credential with the application or system.