What is OTP? And what’s the difference between HOTP and TOTP? One-time password (OTP) offers a clever and elegant way to authenticate a user. Authentication occurs by way of verifying that the user is in possession of a shared secret, without the user having to communicate the secret itself. To authenticate, the user derives a...

Shared accounts are any resource that uses a single pair of credentials to authenticate multiple users. Shared resources can be tied to any platform or network tool, from email accounts to servers and databases. While shared accounts are not considered best practice, an organization may end up using shared accounts for a variety of reasons....

Passwordless authentication is a method of verifying users’ identities without the use of passwords or any other memorized secret. It is generally a form of multi-factor authentication or MFA, however simpler forms of passwordless authentication exist such as email-delivered magic links.  Instead of passwords, identity can be verified based on a “possession factor”, possession of...

In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) that is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain. Use of the TGT was designed into the Kerberos protocol to avoid frequently asking the...

Out of band authentication (OOBA) is an authentication process that utilizes a communications channel separate from the primary communication channel of two entities trying to establish an authenticated connection. Using a separate authentication channel makes it significantly more difficult for an attacker to intercept and subvert the authentication process (i.e. via man-in-the-middle attack), because it...

Risk-based authentication, also commonly referred to as adaptive a0uthentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong...

Universal 2nd Factor (U2F) is a protocol designed to enable online services to augment their traditional password-based authentication with a second factor of authentication that is presented via a USB device or NFC interface. The use of a local interface requires client applications – typically a web browser – to support U2F. U2F is defined...

Biometric authentication is a user identity verification process that uses a biologically unique identifier to authenticate the user. Identifiers can be a fingerprint, hand contour, voice, iris, retina, face, etc. Biometric authentication typically requires an initial enrollment phase during which reference biometric data is registered. Once a reference is established, the authentication process involves comparing...

Adaptive authentication, also commonly referred to as risk-based authentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong...

Time-based One-Time Password (TOTP) is a single-use passcode typically used for authenticating users. The user is assigned a TOPT generator delivered as a hardware key fob or software token. The generator implements an algorithm that computes a one-time passcode using a secret shared with the authentication server and the current time – hence the name...

Push Notification Authentication enables user authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access, typically via a simple press of a button. Notifications can be sent in-band or out-of-band, using...

Privileged Access Management (PAM) refers to a class of solutions that help secure, control, manage and monitor privileged access to critical assets. To achieve these goals, PAM solutions typically take the credentials of privileged accounts – i.e. the admin accounts – and put them inside a secure repository (a vault)  isolating the use of privileged...

A key distribution center (KDC) is a component in an access control system responsible for servicing user requests to access resources by supplying access tickets and session keys. The KDC will use cryptographic techniques to authenticate requesting users, lookup their permissions, and grant them a ticket permitting access. The user can then present the ticket...

A smart card is a secure microcontroller that is typically used for generating, storing and operating on cryptographic keys. Smart card authentication provides users with smart card devices for the purpose of authentication. Users connect their smart card to a host computer. Software on the host computer interacts with the keys material and other secrets...

Step up authentication is the process by which a user is challenged to produce additional forms of authentication to provide a higher level of assurance that he is in fact who he claims to be. Step up authentication is typically implemented as part of an adaptive authentication scheme that seeks to match the risk level...

Active Directory (AD) is an identity directory service for users and computers that was developed and marketed by Microsoft for use on Windows domains. The AD service is comprised of several sub-services, with some of the main ones described below: Active Directory Domain Services (AD DS), also known as a domain controller, stores all the...

Two-Factor Authentication (aka 2FA) is a specific type of Multi-Factor Authentication that requires the authenticating party to produce two separate identifying factors. that are indicative to its identity, instead of the previously standard single identifier, usually a password, required in many systems. 2FA improves security substantially since an attacker would need to gain possession of...

Single-Factor Authentication (SFA) is an identity verification process that requires the access-requesting party (can be a person, software or machine) to produce to the authenticating party a single identifier – single factor – that is linked to its identity. SFA is used by default in many systems because it is easy and cheap to implement....

Multi-Factor Authentication (aka MFA) is an authentication method that requires the authenticating party (be it a person, software or a hardware module) to produce several separate identifiers (or “factors”) that are indicative to its identity, instead of the previously standard single identifier, usually a password, required by default in many systems. Our age’s high dependency...