Authentication

The process of validating whether a person or an entity is in fact who they declare themselves to be. It is used to provide access control and identity management for systems by checking if user’s credentials match the credentials in the authentication server.

FIDO2 Authentication Standard

FIDO2 refers to the combination of the FIDO Alliance’s specification for Client-to-Authenticator Protocols (CTAP) and the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification, which together enable users to authenticate to online services from both mobile and desktop environments using an on-device or external authenticator. WebAuthn defines a standard web API that is implemented by web browsers to enable web …

Token-Based Authentication

An old and trusted authentication mechanism that relies on passwords, but in a smarter way In computer systems, a token is an object or structure used to transfer data between applications. Tokens are primarily used by stateless applications as a vehicle for client-side storage of session data. For example, a shopping app may track things like shopping carts, authentication data, and …

OTP, HOTP and TOTP

What is OTP? And what’s the difference between HOTP and TOTP? One-time password (OTP) offers a clever and elegant way to authenticate a user. Authentication occurs by way of verifying that the user is in possession of a shared secret, without the user having to communicate the secret itself. To authenticate, the user derives a one-time password from his copy of …

Shared Accounts

Shared accounts are any resource that uses a single pair of credentials to authenticate multiple users. Shared resources can be tied to any platform or network tool, from email accounts to servers and databases. While shared accounts are not considered best practice, an organization may end up using shared accounts for a variety of reasons. Sometimes the particular online tool leaves …

Passwordless Authentication

Passwordless authentication is a method of verifying users’ identities without the use of passwords or any other memorized secret. Instead of passwords, identity can be verified based on a “possession factor”, which is an object that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or an “inherent factor” like a person’s biometric …

Ticket Granting Tickets (TGT)

In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) that is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain. Use of the TGT was designed into the Kerberos protocol to avoid frequently asking the user for a password – a …

Out of Band Authentication (OOB)

Out of band authentication (OOBA) is an authentication process that utilizes a communications channel separate from the primary communication channel of two entities trying to establish an authenticated connection. Using a separate authentication channel makes it significantly more difficult for an attacker to intercept and subvert the authentication process (i.e. via man-in-the-middle attack), because it requires the attacker to compromise two …

Risk Based Authentication (RBA)

Risk-based authentication, also commonly referred to as adaptive a0uthentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong authentication where it is most needed …

Universal 2nd Factor (U2F)

Universal 2nd Factor (U2F) is a protocol designed to enable online services to augment their traditional password-based authentication with a second factor of authentication that is presented via a USB device or NFC interface. The use of a local interface requires client applications – typically a web browser – to support U2F. U2F is defined as part of Fast Identity Online …

Biometric Authentication

Biometric authentication is a user identity verification process that uses a biologically unique identifier to authenticate the user. Identifiers can be a fingerprint, hand contour, voice, iris, retina, face, etc. Biometric authentication typically requires an initial enrollment phase during which reference biometric data is registered. Once a reference is established, the authentication process involves comparing the presented biometric data to the …

Adaptive Authentication

Adaptive authentication, also commonly referred to as risk-based authentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong authentication where it is most needed …

Time Based One Time Password (TOTP)

Time-based One-Time Password (TOTP) is a single-use passcode typically used for authenticating users. The user is assigned a TOPT generator delivered as a hardware key fob or software token. The generator implements an algorithm that computes a one-time passcode using a secret shared with the authentication server and the current time – hence the name time-based OTP. The passcode is displayed …

Push Notification Authentication (Push Authentication)

Push Notification Authentication enables user authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access, typically via a simple press of a button. Notifications can be sent in-band or out-of-band, using any number of communications channels. Push …