● 92 entries

Identity & Access

AAA FrameworkA foundational access-control model built on three layered functions: Authentication, Authorization and Accounting.
Access TokenShort-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
Account EnumerationAn attack that abuses application responses to determine which accounts, emails, or phone numbers exist on a target system.
Account LockoutA control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks.
Accounting (AAA)The third pillar of the AAA framework: recording what an authenticated identity did, when, from where and to which resources, for audit and billing purposes.
Active DirectoryMicrosoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
Adaptive AuthenticationAn authentication approach that adjusts the strength and number of factors required in real time based on signals such as device, location, and behavior.
API KeyStatic secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request.
Attribute-Based Access Control (ABAC)An authorization model that evaluates policies over attributes of the subject, resource, action, and environment to decide whether to allow an access request.
AuthenticationThe process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.
AuthorizationThe process of deciding what an already-authenticated identity is allowed to do — which resources, actions and conditions are permitted.
Bearer TokenAn opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner.
Behavioral BiometricsA continuous-authentication technique that profiles unique user behaviors — typing rhythm, mouse movements, gait, or touchscreen gestures — to detect impostors.
Biometric AuthenticationAn authentication method that verifies identity based on unique physical or physiological traits such as fingerprints, faces, irises, or voice patterns.
BPF LSMA Linux Security Module that lets verified eBPF programs attach to LSM hooks and enforce custom Mandatory Access Control decisions on syscalls, files, sockets, and capabilities.
Continuous AuthenticationAn approach that keeps validating a user's identity throughout the session — using behavioral and device signals — rather than authenticating only once at login.
Credential HarvestingThe collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.
Credential VaultA centralized, audited service that securely stores, rotates, and brokers access to secrets such as passwords, API keys, certificates, and SSH keys.
CSRF TokenUnpredictable, per-session value embedded in forms or headers so the server can confirm that state-changing requests originate from its own pages.
Decentralized Identifier (DID)A W3C-standard identifier that a subject controls directly, independent of any centralized registry, and that resolves to a cryptographic key material document.
Device Code Flow (OAuth 2.0 Device Authorization Grant)An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector.
Digital IdentityThe combination of identifiers, credentials, and attributes that represents a person, organization, or device in online systems.
Discretionary Access Control (DAC)An access-control model in which the owner of a resource decides who can access it and what operations they can perform.
DPoP (Demonstrating Proof of Possession)An OAuth 2.0 extension (RFC 9449) that binds access tokens to a per-client key pair, so a stolen bearer token cannot be replayed by an attacker without also stealing the private signing key.
End-to-End Encryption (E2EE)An encryption model in which only the communicating endpoints hold the keys, so intermediate servers and network operators cannot read the plaintext.
Federated IdentityAn arrangement in which separate organizations or domains trust a common identity provider so users can use one identity across all of them.
FIDO2An open authentication standard from the FIDO Alliance combining WebAuthn (browser API) and CTAP (authenticator protocol) to enable phishing-resistant, passwordless sign-in.
Golden SAMLAn identity-attack technique that steals a federation IdP's token-signing private key (typically from AD FS) and forges arbitrary SAML responses, granting persistent, MFA-bypassing access to any federated service.
HMAC-Based One-Time Password (HOTP)An event-based one-time password algorithm defined in RFC 4226 that derives a short code from a shared secret and a monotonically increasing counter.
Identity and Access Management (IAM)A discipline and set of technologies for defining digital identities and controlling which resources each identity may access under which conditions.
Impossible Travel DetectionA detection that flags successive sign-ins from geographic locations too far apart to be reached by any plausible travel within the elapsed time.
Inherence Factor (Something You Are)An authentication factor based on a biometric characteristic of the user, such as a fingerprint, face, iris, voice or typing rhythm.
Just-in-Time AccessAn access model that grants elevated or sensitive permissions only for a limited time and a specific task, then revokes them automatically.
JWT (JSON Web Token)Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
KerberosA ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
Kerberos Constrained DelegationAn Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured.
Kerberos Unconstrained DelegationAn Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
Kernel Mode vs User ModeThe two CPU privilege levels enforced by modern operating systems — kernel mode (supervisor, ring 0) with full hardware access and user mode (ring 3) restricted to its own address space and limited instructions.
Knowledge Factor (Something You Know)An authentication factor based on information the user knows, such as a password, PIN, passphrase or answer to a security question.
LDAPThe Lightweight Directory Access Protocol, an IETF standard for querying and modifying hierarchical directory services over TCP/IP, typically on port 389 or 636 with TLS.
Linux CapabilitiesA Linux kernel feature defined by POSIX.1e draft that splits the all-powerful root privilege into 40-plus discrete capabilities granted independently to processes and files.
Location Factor (Somewhere You Are)A contextual authentication factor that uses the user's geographical or network location, such as GPS coordinates, IP geolocation or office Wi-Fi, to evaluate a sign-in.
Machine IdentityThe cryptographic identity of a non-human entity — workload, device, container, or API client — used to authenticate and establish trust with other systems.
Magic Link AuthenticationA passwordless sign-in flow where the user receives a single-use URL by email or SMS that, when clicked, authenticates the session.
Mandatory Access Control (MAC)An access-control model in which a central policy — not the resource owner — enforces access decisions based on classifications and clearances assigned to subjects and objects.
MFA Fatigue (Push Bombing)Attack in which an adversary with a valid password floods the victim with MFA push prompts until the user approves one out of confusion or annoyance.
Microsoft Entra IDMicrosoft's cloud identity service — formerly Azure Active Directory — providing identity, single sign-on, MFA, Conditional Access, and external-identity capabilities for Microsoft 365 and millions of integrated SaaS applications.
Multi-Factor Authentication (MFA)An authentication method that requires two or more independent factors — typically from different categories — before granting access.
Mutual AuthenticationAn authentication exchange in which both communicating parties — client and server, or two services — cryptographically prove their identities to each other before exchanging data.
NTLM AuthenticationA legacy Windows challenge-response authentication protocol that proves a user's identity from a stored password hash, now considered weak by modern standards.
OAuth 2.0An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
One-Time Password (OTP)A short numeric code that is valid for only a single login attempt or a brief time window, typically used as a second authentication factor.
OpenID Connect (OIDC)An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.
PasskeyA phishing-resistant FIDO2/WebAuthn credential — a device-bound or syncable asymmetric key pair that replaces passwords with a cryptographic challenge-response.
PassphraseA long sequence of words or characters used as an authentication secret, typically chosen for high entropy and memorability rather than complexity.
PasswordA secret string of characters that a user supplies to prove identity to a system, traditionally the dominant single-factor authentication mechanism.
Password EntropyA measure, in bits, of the unpredictability of a password — higher entropy means more guesses are required for an attacker to recover it.
Password ManagerAn application that generates, stores, and autofills strong unique credentials, secured by a master passphrase and increasingly by passkeys.
Password PolicyA documented set of rules governing how user passwords are created, stored, rotated, and validated to balance security against usability for the workforce.
Password ReuseThe practice of using the same password across multiple accounts or services, which lets a single breach compromise many of them.
Phishing-Resistant MFAMFA methods that cryptographically bind authentication to the legitimate web origin — FIDO2/WebAuthn passkeys, smart cards, and Windows Hello — rendering AiTM proxy phishing, MFA fatigue, and OTP interception ineffective.
PKCE (Proof Key for Code Exchange)An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
Possession Factor (Something You Have)An authentication factor based on a physical or cryptographic item the user holds, such as a hardware token, smart card, authenticator app or registered phone.
Principle of Least PrivilegeA security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.
Privileged Access Management (PAM)A set of practices and tools that secure, control, monitor, and audit access to accounts and systems with elevated administrative privileges.
Push AuthenticationAn MFA method in which the identity provider sends a sign-in request to a trusted mobile app, which the user approves or denies with a tap.
Pwned PasswordA password that has appeared in a known data breach and therefore must never be allowed as a user secret, as catalogued by Troy Hunt's Have I Been Pwned service.
Refresh TokenLong-lived credential used to obtain new short-lived access tokens from an OAuth 2.0 authorization server without prompting the user to log in again.
Risk-Based Authentication (RBA)An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score.
Role-Based Access Control (RBAC)An authorization model that grants permissions to roles rather than directly to users, so users inherit access by virtue of their role assignments.
SAMLAn XML-based open standard for exchanging authentication and authorization assertions between an identity provider and a service provider.
Secure Messaging AppA communications app whose default mode applies end-to-end encryption, identity verification, and forward secrecy so that only the participants can read the messages.
SeDebugPrivilegeA powerful Windows user-right that lets a holder open, read, and modify the memory of any process — including LSASS — making it a prime target for attackers seeking credential theft.
Self-Sovereign Identity (SSI)An identity model in which individuals or organizations hold and present their own credentials directly, without relying on a central identity provider.
Service AccountA non-human identity used by an application, script, or service to authenticate to other systems, typically without interactive login.
Session ManagementThe set of controls that issue, maintain, refresh, and revoke an authenticated session, binding a user's identity to subsequent requests until logout or expiration.
Session ReplayA UX-analytics technique that records the DOM, clicks, scrolls, and keystrokes of a real user session so it can be replayed and analysed later.
Session TokenOpaque identifier issued after authentication that the client returns with each request, letting the server look up the user's session state.
Signal ProtocolThe end-to-end-encryption protocol developed by Open Whisper Systems for the Signal messenger, combining the X3DH key agreement with the Double Ratchet algorithm.
Single Sign-On (SSO)An authentication scheme that lets a user sign in once at a trusted identity provider and then access many applications without re-entering credentials.
Social LoginAn authentication pattern where users sign into a third-party site using their existing identity from Google, Apple, Microsoft, Facebook, GitHub, or similar providers.
Step-Up AuthenticationA pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
Time Factor (Authentication)A contextual authentication factor that restricts or evaluates access based on the time of day, day of week or duration of a session, often combined with risk-based policies.
Time-Based One-Time Password (TOTP)A one-time password algorithm defined in RFC 6238 that derives a short code from a shared secret and the current time, rotating every 30 seconds.
Token ImpersonationA Windows privilege-escalation technique (MITRE ATT&CK T1134) where an attacker duplicates an existing access token and uses it to run code in another user's security context.
Two-Factor Authentication (2FA)A specific form of multi-factor authentication that requires exactly two factors — usually a password plus a second factor — to verify identity.
U2F (Universal 2nd Factor)An open authentication standard from the FIDO Alliance that adds a hardware second factor to passwords using a USB, NFC, or Bluetooth security key.
User Account Control (UAC)A Windows security feature introduced in Vista that runs interactive sessions with a limited token and prompts for consent or credentials before an administrative action elevates.
Username EnumerationA specific form of account enumeration in which application responses confirm whether a given username exists, helping attackers focus subsequent attacks.
Verifiable CredentialA tamper-evident, cryptographically signed statement issued by one party about a subject, expressed in the W3C Verifiable Credentials Data Model.
WebAuthnA W3C standard JavaScript API that allows web applications to register and authenticate users with public-key credentials stored on platform or roaming authenticators.
Workforce IdentityThe identities, credentials, and access rights of an organization's employees, contractors, and internal services, as opposed to customer identity.