Glossary

Learn the key terms and concepts in authentication and user management.

A

Account Takeover

An Account Takeover refer to the unauthorized access and control of a user’s account by malicious actors. This security breach often involves exploiting weak passwords, phishing attacks, or other vulnerabilities to gain access to personal information, financial data, or other sensitive content. Preventing account takeovers is crucial for maintaining user trust and safeguarding data integrity.

Active Device Monitoring

Active Device Monitoring is a continuous security practice that involves tracking and analyzing the behavior of devices connected to a network. This technique helps in identifying suspicious activities, unauthorized access attempts, and potential security threats in real-time. Implementing active device monitoring enhances the overall security posture by ensuring only trusted devices can access sensitive information.

AI Authentication

AI Authentication leverages artificial intelligence to enhance the security and efficiency of the authentication process. By analyzing patterns, behaviors, and biometric data, AI authentication can provide a more secure and seamless user experience. This advanced method reduces the risk of fraud and unauthorized access by continuously learning and adapting to new threats.

API Key

An API Key is a unique identifier used to authenticate a user, developer, or calling program to an API (Application Programming Interface). API keys are essential for controlling access to the API, tracking usage, and preventing unauthorized access. Proper management and security of API keys are critical to protect sensitive data and maintain the integrity of the API.

Artificial Intelligence (AI)

Artificial Intelligence (AI) refers to the simulation of human intelligence in machines that are programmed to think, learn, and perform tasks typically requiring human intelligence. AI encompasses a variety of technologies, including machine learning, natural language processing, and robotics. In web development and security, AI is used to enhance user experiences, automate processes, and improve threat detection.

Authentication

Authentication is the process of verifying the identity of a user, device, or application before granting access to a system or resource. This critical security measure ensures that only authorized individuals can access sensitive information. Authentication methods can include passwords, biometrics, tokens, and multi-factor authentication (MFA) to enhance security and user trust.

Authenticator Apps (TOTP)

Authenticator Apps using TOTP (Time-Based One-Time Password) generate temporary, time-sensitive passcodes used for two-factor authentication (2FA). These apps, such as Google Authenticator or Authy, provide an additional layer of security by requiring users to enter a code from the app in addition to their password. This method significantly reduces the risk of unauthorized access by ensuring that only users with access to the physical device can log in.

B

C

Claim

A claim represents a piece of information about a user or entity that is encoded within a JSON Web Token (JWT). When a token is created, claims are added to provide specific details about the token's subject, such as user ID, permissions, or expiration time. Claims are typically key-value pairs that describe attributes of the authenticated entity. The claims are digitally signed as part of the token, ensuring they cannot be altered without invalidating the token. One JWT can, and typically does, contain multiple claims that provide different types of information about the user or session.

D

E

F

G

H

Hash

Hashing is a way of converting data into a unique, fixed-length code that acts like a digital fingerprint. When a piece of information is run through a hashing process, it creates a specific string of characters that uniquely represents the original data. The hash can verify that the original data hasn't been changed, and cannot be 'decoded' to recreate the original information. The same input will always produce the same hash, and different inputs will typically produce different hashes. One piece of data can have multiple types of hashes generated from it depending on the specific purpose, such as checking if a password is correct or ensuring a file hasn't been tampered with.

I

J

L

M

N

O

OWASP Application Security Verification Standard (ASVS)

The OWASP Application Security Verification Standard (ASVS) is a framework for testing the security of web applications and ensuring they meet specific security requirements. It provides a basis for designing, building, and testing secure applications by defining levels of security controls. ASVS is widely used by developers and security professionals to standardize security requirements and assessments.

Related terms

OWASP Testing Guide

The OWASP Testing Guide is a resource by the Open Web Application Security Project that outlines best practices for testing web application security. It covers vulnerabilities like authentication, data validation, and session management, helping security professionals enhance web application security.

Related terms

P

Personal Account

A personal account is a user’s unique, individual space within the application, independent of any organization.

Related terms

R

S

Session

A session represents an instance in which a user has signed in and is authenticated. Normally, when a user signs in successfully, a session is created and typically stored in a database, along with the user's ID, a status (active, revoked, expired, etc) and an expiration time, at miniumum. The session must be active and not expired in order for the user to be seen as authenticated. One user can, and typically does, have multiple sessions. Each time the user signs in, whether on the same or a different device, creates a new session.

T

U

V

W