The process of validating whether a person or an entity is in fact who they declare themselves to be. It is used to provide access control and identity management for systems by checking if user’s credentials match the credentials in the authentication server.
Shared accounts are any resource that uses a single pair of credentials to authenticate multiple users. Shared resources can be tied to any platform or network tool, from email accounts to servers and databases. While shared accounts are not considered best practice, an organization may end up using shared accounts for a variety of reasons. Sometimes the particular online tool leaves … 
Passwordless authentication is any method of verifying the identity of a user that does not require the user to provide a password. Instead of passwords, proof of identity can be done based on possession of something that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or the user’s biometric signature (e.g. fingerprint, …
In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) that is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain. Use of the TGT was designed into the Kerberos protocol to avoid frequently asking the user for a password – a …
Out of band authentication (OOBA) is an authentication process that utilizes a communications channel separate from the primary communication channel of two entities trying to establish an authenticated connection. Using a separate authentication channel makes it significantly more difficult for an attacker to intercept and subvert the authentication process (i.e. via man-in-the-middle attack), because it requires the attacker to compromise two …
Risk-based authentication, also commonly referred to as adaptive a0uthentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong authentication where it is most needed …
Universal 2nd Factor (U2F) is a protocol designed to enable online services to augment their traditional password-based authentication with a second factor of authentication that is presented via a USB device or NFC interface. The use of a local interface requires client applications – typically a web browser – to support U2F. U2F is defined as part of Fast Identity Online …
Biometric authentication is a user identity verification process that uses a biologically unique identifier to authenticate the user. Identifiers can be a fingerprint, hand contour, voice, iris, retina, face, etc. Biometric authentication typically requires an initial enrollment phase during which reference biometric data is registered. Once a reference is established, the authentication process involves comparing the presented biometric data to the …
Adaptive authentication, also commonly referred to as risk-based authentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong authentication where it is most needed …
Time-based One-Time Password (TOTP) is a single-use passcode typically used for authenticating users. The user is assigned a TOPT generator delivered as a hardware key fob or software token. The generator implements an algorithm that computes a one-time passcode using a secret shared with the authentication server and the current time – hence the name time-based OTP. The passcode is displayed …
Push Notification Authentication enables user authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access, typically via a simple press of a button. Notifications can be sent in-band or out-of-band, using any number of communications channels. Push …
Privileged Access Management (PAM) refers to a class of solutions that help secure, control, manage and monitor privileged access to critical assets. To achieve these goals, PAM solutions typically take the credentials of privileged accounts – i.e. the admin accounts – and put them inside a secure repository (a vault) isolating the use of privileged accounts to reduce the risk of …
A key distribution center (KDC) is a component in an access control system responsible for servicing user requests to access resources by supplying access tickets and session keys. The KDC will use cryptographic techniques to authenticate requesting users, lookup their permissions, and grant them a ticket permitting access. The user can then present the ticket to the target resource/system, which verifies …
A smart card is a secure microcontroller that is typically used for generating, storing and operating on cryptographic keys. Smart card authentication provides users with smart card devices for the purpose of authentication. Users connect their smart card to a host computer. Software on the host computer interacts with the keys material and other secrets stored on the smart card to …
