Identity & Access Management

Access control model using attributes (user, resource, environment, action) to determine access. More flexible than RBAC for complex, context-aware policies.

Dynamic access control based on signals like user location, device health, risk level, and application sensitivity. Enforces context-aware security policies.

Access control where resource owners determine who can access their resources. Common in file systems where users set permissions on their own files.

Access control where a central authority defines access policies based on security classifications. Users cannot override these policies. Common in government systems.

General-purpose policy engine for unified authorization across the stack. Uses Rego policy language to define fine-grained access control decisions.

Access control using policies that evaluate multiple conditions and attributes. Enables fine-grained, dynamic authorization decisions based on complex business rules.

Access control model where permissions are assigned to roles rather than individual users. Users gain permissions by being assigned to appropriate roles.

Non-human account used by applications, services, or automated processes. Often has elevated privileges and requires special security considerations.

Account used by multiple people, complicating accountability and audit trails. Generally discouraged in favor of individual accounts with role-based access.

Service managing API traffic including authentication, rate limiting, and routing. Centralizes security policy enforcement for backend services.

Simple credential for authenticating API requests. Easy to implement but lacks fine-grained access control. Should be rotated regularly and kept secret.

TLS with bidirectional authentication where both client and server present certificates. Provides strong machine-to-machine authentication for APIs and services.

Infrastructure layer handling service-to-service communication. Provides mTLS, authentication, and authorization between microservices. Examples include Istio and Linkerd.

A specific form of MFA using exactly two authentication factors. Common combinations include password + OTP, or password + biometric verification.

Authentication that adjusts requirements based on risk assessment. Low-risk scenarios use simpler methods; high-risk triggers additional verification steps.

Authentication using unique biological characteristics like fingerprints, facial features, iris patterns, or voice. Provides strong identity verification but raises privacy considerations.

Authentication where the server sends a random challenge and the client proves identity by responding correctly, typically with a cryptographic signature.

OTP algorithm generating codes based on a counter and shared secret. Each code is valid until used. Predecessor to TOTP, still used in some hardware tokens.

Passwordless authentication method sending a single-use login link via email. Clicking the link authenticates the user. Simple but depends on email security.

Authentication requiring two or more verification factors from different categories: something you know (password), something you have (token), or something you are (biometric).

A password valid for only one login session or transaction. Can be time-based (TOTP) or counter-based (HOTP). Common second factor in MFA implementations.

FIDO2 credential that replaces passwords, synced across devices via cloud platforms. Combines security of public key cryptography with convenience of password managers.

Authentication methods that don't require passwords, using alternatives like biometrics, hardware keys, or magic links. Eliminates password-related security risks.

Authentication methods that cannot be phished, such as FIDO2 security keys. Uses cryptographic binding to origins, preventing credential theft via fake sites.

MFA method sending authentication requests to a mobile app. User approves or denies access with a tap. More user-friendly than entering OTP codes.

FIDO2 credential stored on the authenticator, enabling passwordless authentication. User selects credential from device rather than entering username.

Authentication using real-time risk scoring from factors like location, device, behavior, and threat intelligence to determine authentication requirements.

Authentication scheme allowing users to access multiple applications with one set of credentials. Improves user experience while centralizing authentication control.

Requiring additional authentication factors when accessing sensitive resources or performing high-risk actions within an authenticated session.

OTP algorithm generating codes based on current time and a shared secret. Codes typically valid for 30 seconds. Used by apps like Google Authenticator and Authy.

Confirmation that a human physically interacted with an authenticator, typically by touching a button. Weaker than user verification but prevents remote attacks.

Local verification on an authenticator proving the authorized user is present. Methods include PIN, fingerprint, or face recognition on the device.

A comprehensive data protection and privacy regulation enacted by the European Union in 2018. It governs how organizations collect, process, store, and transfer personal data of EU residents. Key requirements include obtaining explicit consent, data minimization, the right to access, the right to erasure ('right to be forgotten'), data portability, and mandatory breach notification within 72 hours.

A United States federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information (PHI - Protected Health Information). HIPAA requires covered entities and business associates to implement administrative, physical, and technical safeguards including access controls, audit trails, encryption, and authentication mechanisms to ensure the confidentiality, integrity, and availability of electronic PHI.

A set of security standards established by the PCI Security Standards Council (founded by Visa, Mastercard, American Express, Discover, and JCB) to protect cardholder data. Requirements include implementing multi-factor authentication for administrative access, maintaining strong access control measures, encrypting transmission of cardholder data across open networks, and regularly testing security systems. Compliance is mandatory for any organization that processes, stores, or transmits payment card data.

An auditing framework developed by the AICPA (American Institute of Certified Public Accountants) that evaluates a service organization's controls across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are commonly required by enterprise customers to verify that vendors properly protect customer data.

Security technique that regulates who or what can view or use resources. Enforces policies determining access rights based on identity, role, or other attributes.

The process of verifying the identity of a user, device, or system. Confirms 'who you are' through credentials like passwords, biometrics, or cryptographic keys.

The process of determining what actions or resources an authenticated identity is permitted to access. Defines 'what you can do' based on policies and permissions.

A framework of policies, processes, and technologies that manage digital identities and control user access to resources. Encompasses authentication, authorization, and identity lifecycle management.

Security discipline focused on managing, monitoring, and securing privileged accounts and access. Includes password vaulting, session recording, and just-in-time access elevation.

Identity assigned to applications, services, or containers rather than humans. Enables automated authentication and authorization for machine-to-machine communication.

Symmetric encryption algorithm adopted as the standard by NIST. Available in 128, 192, and 256-bit key lengths. Used for data encryption at rest and in transit.

Cryptography using different keys for encryption and decryption. Also called public key cryptography. Enables secure key exchange and digital signatures.

One-way function producing fixed-size output from arbitrary input. Used for password storage, integrity verification, and digital signatures.

Cryptographic mechanism proving authenticity and integrity of data. Created with private key, verified with public key. Non-repudiable proof of origin.

Asymmetric cryptography using elliptic curves. Provides equivalent security to RSA with smaller key sizes. Used in FIDO2, TLS, and modern cryptographic systems.

Algorithm deriving cryptographic keys from passwords or other secrets. Adds computational cost to resist brute force. Examples include PBKDF2, bcrypt, and Argon2.

Cryptography using mathematically related key pairs. Public key encrypts/verifies; private key decrypts/signs. Foundation of FIDO, TLS, and digital signatures.

Asymmetric encryption algorithm based on factoring large primes. Used for key exchange, digital signatures, and encryption. Being replaced by elliptic curve cryptography.

Random data added to passwords before hashing. Prevents rainbow table attacks and ensures identical passwords produce different hashes.

Cryptography using the same key for encryption and decryption. Faster than asymmetric but requires secure key exchange. Used for bulk data encryption.

Cryptographic proof that a device or platform meets security requirements. Used to verify device identity and integrity before granting access.

Policy allowing employees to use personal devices for work. Requires careful balance between security controls and user privacy.

Evaluating device security posture before granting access. Considers factors like encryption status, patch level, MDM enrollment, and malware protection.

Technology for managing and securing mobile devices. Enables remote configuration, policy enforcement, and data wiping for lost or stolen devices.

Microsoft's directory service for Windows domain networks. Provides authentication, authorization, and policy management. Foundation of enterprise Windows identity.

Microsoft's cloud-based identity and access management service. Provides SSO, MFA, and conditional access for cloud and hybrid environments.

Statement about a subject (user) contained in a security token. Examples include username, email, group memberships, and custom attributes used for authorization.

System of trust between multiple organizations allowing users to use the same identity across domains. Enables SSO across organizational boundaries.

Service that creates, maintains, and manages identity information, providing authentication to relying applications. Examples include Okta, Azure AD, and Auth0.

Website or application that relies on a FIDO authenticator or identity provider for authentication. Verifies cryptographic assertions from authenticators.

Statement from an identity provider about a user's identity or attributes. SAML assertions and OIDC tokens are common formats for conveying identity claims.

Application or service relying on an identity provider for authentication. Trusts assertions from the IdP without managing credentials directly.

Formal process for requesting additional access or permissions. Typically involves approval workflow, risk assessment, and audit trail.

Periodic review of user access rights to ensure appropriateness. Managers certify or revoke access. Required by compliance frameworks like SOX and HIPAA.

Managing user identities from creation through modification to deactivation. Includes provisioning, updates, access reviews, and timely deprovisioning.

Comprehensive identity management including governance, compliance, and administration. Combines provisioning, access reviews, and policy enforcement.

Account without an associated active user, typically from incomplete deprovisioning. Security risk as they may retain access without oversight.

Control preventing single individuals from having conflicting responsibilities that could enable fraud. IGA systems detect and prevent SoD violations.

Removing user access when no longer needed, typically upon termination or role change. Critical for security; delays create orphaned account vulnerabilities.

Creating user accounts and granting appropriate access across systems. Automated provisioning uses HR data or request workflows to create accounts consistently.

Dedicated cryptographic processor for secure key generation, storage, and operations. Provides tamper-resistant protection for sensitive cryptographic material.

Short-range wireless technology for contactless communication. Used by security keys and smart cards for convenient tap-to-authenticate experiences.

Isolated hardware subsystem for sensitive operations like biometric processing and key storage. Apple's implementation protects Face ID, Touch ID, and cryptographic keys.

Hardware device for cryptographic authentication, typically USB, NFC, or Bluetooth. Examples include YubiKey, Google Titan, and Feitian keys. Provides phishing-resistant MFA.

Physical card with embedded microprocessor for cryptographic operations. Stores certificates and private keys securely. Used for authentication and digital signatures.

Specialized chip on a computer's motherboard providing hardware-based security functions including cryptographic key generation, secure boot verification, and platform attestation.

Popular hardware security key by Yubico supporting multiple protocols including FIDO2, U2F, OTP, PIV, and OpenPGP. Industry standard for phishing-resistant authentication.

Emergency account for critical system access when normal authentication is unavailable. Highly privileged, heavily monitored, and used only in emergencies.

Automatically inserting credentials into sessions without revealing them to users. Enables access while preventing credential theft or sharing.

Providing only the minimum privileges needed for a specific task. Combined with JIT access to minimize both the duration and scope of elevated permissions.

Granting privileged access only when needed, for limited time periods. Reduces standing privileges and attack surface. Core component of modern PAM solutions.

Secure repository for storing and managing privileged credentials. Automates password rotation, controls access, and provides audit trails for credential usage.

Account with elevated permissions beyond standard users, such as admin, root, or service accounts. Primary target for attackers due to extensive access rights.

Capturing privileged session activity for audit and forensic purposes. Records keystrokes, commands, and screen activity during administrative sessions.

Trusted entity that issues digital certificates. Verifies identity of certificate requesters and signs certificates to establish trust chains.

List of certificates revoked before expiration, published by the CA. Clients check CRLs to verify certificate validity. Being replaced by OCSP.

Electronic document binding a public key to an identity, signed by a Certificate Authority. Used for TLS, code signing, email encryption, and device authentication.

Protocol for checking certificate revocation status in real-time. More efficient than downloading full CRLs. OCSP stapling improves performance.

Framework for managing digital certificates and public-private key pairs. Includes CAs, registration authorities, certificate repositories, and revocation mechanisms.

Security strategy using multiple layers of controls. If one layer fails, others provide backup protection. Combines physical, technical, and administrative controls.

Principle restricting access to information based on job requirements. Even with appropriate clearance, users only access data necessary for their specific role.

Security principle granting users only the minimum permissions necessary to perform their job functions. Reduces attack surface and limits damage from compromised accounts.

Security principle requiring multiple people to complete sensitive tasks. Prevents fraud and errors by ensuring no single person has complete control over critical processes.

Security model assuming no implicit trust based on network location. Every access request is fully authenticated, authorized, and encrypted regardless of origin.

Security framework replacing VPNs with identity-based access to applications. Validates user, device, and context before granting per-application access.

OAuth extension binding access tokens to specific client key pairs. Prevents token theft and replay attacks by proving possession of a private key.

Network authentication protocol using tickets to prove identity. Uses symmetric key cryptography and a trusted third party. Core of Windows Active Directory authentication.

Protocol for accessing and managing directory services containing user information. Foundation of Active Directory and other enterprise identity stores.

Authorization framework enabling applications to obtain limited access to user accounts. Delegates authentication to the identity provider without sharing credentials.

Identity layer built on OAuth 2.0 for authentication. Provides standardized user identity information via ID tokens. Foundation for modern web authentication.

OAuth 2.0 extension preventing authorization code interception attacks. Required for public clients like mobile apps and SPAs that can't securely store secrets.

Remote Authentication Dial-In User Service. Network protocol for centralized authentication, authorization, and accounting. Commonly used for network access control.

XML-based standard for exchanging authentication and authorization data between identity providers and service providers. Common in enterprise SSO implementations.

Standard for automating user identity provisioning and deprovisioning across systems. Enables consistent user lifecycle management across cloud applications.

NIST-defined levels of authentication strength. AAL1 allows passwords; AAL2 requires MFA; AAL3 requires hardware-based verifier-impersonation-resistant authenticators.

Smart card used by US Department of Defense for identity, authentication, and digital signatures. Implements PIV standards for military and civilian personnel.

Protocol enabling communication between authenticators (like security keys) and client devices. CTAP2 is part of FIDO2, supporting passwordless and MFA use cases.

NIST-defined levels for federated identity transactions. Specifies requirements for assertion protection, presentation, and trust between parties.

Open authentication standards developed by the FIDO Alliance enabling passwordless, phishing-resistant authentication using public key cryptography and hardware authenticators.

The latest FIDO standard combining WebAuthn and CTAP protocols. Enables passwordless authentication in browsers and platforms using security keys or platform authenticators.

NIST-defined levels of identity proofing rigor. IAL1 is self-asserted; IAL2 requires remote or in-person proofing; IAL3 requires in-person verification.

Digital Identity Guidelines from NIST defining identity assurance levels, authenticator requirements, and federation standards. Referenced by US federal systems and industry.

US federal standard for smart card-based identity credentials. Defines card format, cryptographic requirements, and authentication protocols for government IDs.

Secure Production Identity Framework for Everyone. Standard for workload identity enabling mutual authentication between services without shared secrets.

FIDO standard for hardware-based second factor authentication. Predecessor to FIDO2. Uses USB or NFC security keys for phishing-resistant MFA.

W3C standard for passwordless authentication in web browsers. Uses public key cryptography with hardware authenticators or platform biometrics to replace passwords.

Attack systematically trying all possible password combinations. Mitigated by account lockouts, rate limiting, CAPTCHA, and strong password requirements.

Automated attack using stolen username/password pairs from data breaches to access accounts on other services where users reused credentials.

Security risk from people within the organization with legitimate access. May be malicious or negligent. Mitigated by least privilege, monitoring, and behavioral analytics.

Attack intercepting communications between two parties. In authentication context, can capture credentials or session tokens. Prevented by TLS and certificate pinning.

Attack trying common passwords against many accounts simultaneously. Avoids lockouts by limiting attempts per account. Effective against weak password policies.

Attack exploiting vulnerabilities to gain higher access privileges than authorized. Vertical escalation gains admin access; horizontal accesses other users' data.

Attack where valid authentication data is captured and retransmitted to gain unauthorized access. Prevented by nonces, timestamps, and cryptographic binding.

Attack stealing a valid session token to impersonate an authenticated user. Prevented by secure cookies, short session timeouts, and token binding.

Credential used to access protected resources on behalf of a user. Typically short-lived and scoped to specific permissions. Core of OAuth 2.0 authorization.

Security token where possession alone grants access. Anyone holding the token can use it. Must be protected in transit and storage.

JWT containing claims about the authentication event and user identity. Provided by OpenID Connect to prove the user's identity to the application.

Compact, URL-safe token format for transmitting claims between parties. Self-contained and cryptographically signed. Widely used in OIDC and API authentication.

Long-lived credential used to obtain new access tokens without re-authentication. Stored securely and can be revoked to terminate sessions.

HTTP mechanism allowing controlled access to resources from different origins. Configures which domains can make authenticated requests to APIs.

Attack forcing authenticated users to execute unwanted actions. Prevented by anti-CSRF tokens, SameSite cookies, and verifying request origins.

Combination of scheme, host, and port that defines the security boundary for web content. FIDO authenticators are cryptographically bound to origins to prevent phishing.

Controlling authenticated user sessions including creation, timeout, renewal, and termination. Critical for security and user experience balance.

Automatic session termination after inactivity period. Absolute timeouts end sessions regardless of activity. Balances security with user convenience.