Learn the Lingo

An API endpoint is a digital location where an API receives requests and sends responses. An API endpoint is usually exposed via a URL.

An access token is a string used in a token-based authentication flow. The client gets the access token from the authorization server and presents it to the resource server to access protected resources. Typically access token has a lifetime and is refreshed periodically.

Account takeover (ATO) is a form of identity theft where a cybercriminal gains access to a legitimate account, often by using stolen credentials. Brute force attacks, credential stuffing, phishing, and keystroke logging are all tactics used by attackers to take over user accounts. Learn more about account takeover.

Adaptive MFA is a subset of MFA where additional authentication factors are automatically triggered according to a user’s risk levels. For example, consider a user that regularly logs into an application from their laptop at home. If the user is on an international trip and tries logging in to the same application from an Internet cafe, they will be prompted in real time for additional credentials because too many behavioral signals have changed from the baseline. Adaptive MFA is also called adaptive authentication and risk-based authentication.

In an adversary-in-the-middle (AiTM) attack, the attacker positions themselves between two networked devices (usually client and server) to fraudulently obtain or alter data. SIM swapping, session hijacking, and DNS spoofing are some examples of AiTM attacks. AiTM attacks are also called man-in-the-middle (MiTM) attacks.

In an identity context, an application is a piece of software that relies on an identity provider for authentication and user management. Types of applications include single-page apps (SPA), native apps, regular web apps, and machine-to-machine (M2M) apps.

An authentication factor is a piece of evidence that helps verify a user’s identity. The three most popular authentication factors are knowledge (e.g. passwords, PIN codes), possession (e.g. registered devices, security keys), and inherence (e.g. fingerprint and facial recognition). These factors are also referred to as “what you know”, “what you have”, and “what you are” respectively.

The authentication server is a server that verifies a user or entity is who they say they are. The authentication server is not responsible for defining a user’s level of access – that is the responsibility of the authorization server.

An authenticator app is a software that uses soft tokens to generate and validate one-time passwords. Authenticator apps often use the TOTP algorithm to generate time-based OTPs. Google Authenticator, Microsoft Authenticator, and Authy are examples of authenticator apps.

The authorization code is a single-use code generated by the authorization server and presented to the client. The client then exchanges the code for an access token with the token endpoint when using the authorization code grant type.

The authorization endpoint is an endpoint on the authorization server responsible for getting the user’s consent when a client requests access to their protected resources.

The authorization server is responsible for getting the user’s consent and providing tokens (access and refresh tokens) to the client to facilitate access. The authorization server usually exposes two endpoints - the authorization endpoint which handles user authentication and consent, and the token endpoint which handles token generation.

A bearer token is a token implying that any party that possesses the token (the “bearer”) is authenticated to use the token.

Biometric (Passkeys/WebAuthn) authentication is the process of validating a person’s identity based on certain immutable physical or behavioral characteristics. Examples of biometric authentication include fingerprints, facial recognition, iris / retina scans, and vein recognition. Biometric authentication implemented with the FIDO standard ensures that the biometric characteristics are securely stored and verified locally on the user’s device. Learn more about biometric authentication.

Broken authentication is a blanket term for when poor implementation of identity and access controls is exploited by attackers to impersonate users online. Authentication can be considered “broken” when, for example, attackers are able to steal passwords, keys, session tokens, and other account information to take over user accounts. Learn more about broken authentication.

A brute force attack attempts to guess a shared secret – like passwords – by rigorously trying every possible combination. Brute force attacks continue to be successful because people tend to use boilerplate and easy-to-guess passwords. Learn more about brute force attacks.

CNAME, or Canonical Name, is a type of Domain Name Service (DNS) record that maps an alias domain name to the canonical domain name.

A claim is a statement that an entity (can be a user or application) makes about itself or another entity. Claims are attributes included in tokens that can be used by applications to determine the correct level of access to grant.

The client ID is an identifier that is assigned to an application after registering with the authorization server.

The client secret is a piece of data used by the client to authenticate with the authorization server before receiving an access token. The client secret should only be known to the client and the authorization server.

The Client-to-Authenticator Protocol (CTAP) is a protocol hosted by the FIDO Alliance that governs communication between a roaming authenticator and a client application. The latest version of the protocol (CTAP2) is part of the FIDO2 specification that helps organizations achieve passwordless authentication.

In OAuth 2.0, clients can be classified as either confidential clients or public clients. A confidential client is an application that is trusted to securely authenticate with the authorization server. Confidential clients can use the client credentials grant type in OAuth 2.0 and act as both the client and the resource owner.

Credential stuffing is a cyberattack where attackers use credentials obtained from a data breach on one service and attempt to programmatically log in to other unrelated services. These attacks are based on the premise that people tend to reuse usernames and passwords across online accounts. Learn more about credential stuffing.

A custom domain is a domain for a website or application with a unique branded name attached to the IP address.

Customer Identity Access Management (CIAM) refers to the set of tools and processes used by companies to verify their customers’ identity before granting access to applications and protected resources. Elements of authentication, authorization, and user management all fall under the ambit of CIAM. CIAM is often considered a subset of the wider Identity and Access Management (IAM) market.

In OAuth 2.0, the device code grant type is recommended for browserless devices or devices with restricted input capabilities like smart TVs or gaming consoles. In this grant type, rather than authenticating the user directly, the user is presented with a code and asked to go to their computer or phone to input the code and authorize the device.

Device fingerprinting is a mechanism through which a device is uniquely identified. It combines a range of device attributes (e.g. browser, operating system, IP address, geolocation) to accurately identify legitimate users and prevent fraudsters from breaking authentication.

A dictionary attack is a type of brute force attack where cybercriminals guess usernames or passwords by using a dictionary of common words and phrases. These attacks can also leverage passwords that have been stolen and leaked from earlier data breaches. Attackers can set up their own dictionaries or use dictionary software that substitutes “passwordized” characters (e.g. @ instead of a, 5 instead of s) to improve chances of success.

Enchanted links are an enhanced version of magic links. Enchanted links enable users to start the login process on one device (the originating device) while clicking the enchanted link on a different device. When the user clicks the correct link, their session on the originating device is validated, and they are logged in.

The FIDO (Fast IDentity Online) Alliance is an open industry consortium formed in 2013. The Alliance’s mission is to develop and promote passwordless authentication standards and protocols. Descope is a member of the FIDO Alliance alongside other companies like Apple, Google, Meta, Microsoft, and Yubico.

FIDO2 is an open standard that enables users to log into applications without using passwords on both desktop and mobile environments. Instead of passwords, FIDO authentication uses registered devices or FIDO2 security keys to validate user identities. FIDO2 consists of two components: The Web Authentication API (WebAuthn) and the Client-to-Authenticator Protocol (CTAP2). Learn more about FIDO2.

Federated identity is a method by which a user’s identity is linked across multiple identity management systems. With federated identity, authorized users can access multiple applications without requiring dedicated credentials for each application. Protocols and standards used in federated identity management include SAML, OAuth 2.0, and OpenID Connect.

Fingerprint authentication is a biometric authentication method where the unique ridges and patterns of a person’s fingerprint are used to validate their identity. Fingerprint authentication implemented with the FIDO standard ensures that the fingerprint template is securely stored and verified locally on the user’s device.

Descope Flows is a visual no-code interface to build screens and authentication flows for common user interactions with your application. You can create Flows in the Descope UI for user sign-up, sign-in, MFA, and other authentication logic using a visual workflow. Learn more about Flows.

HOTP is an algorithm used to generate and validate one-time passwords (OTP). It uses a shared secret key and an incremental counter as inputs to generate the OTP. Every time a new OTP is requested, the counter increments by one and a new code is generated.

A hard token is a physical device used to authenticate users. Hard tokens must be possessed by the user and are often used in enterprise and high-security scenarios. USB drives, keyfobs, and hardware devices like YubiKey are examples of hard tokens.

An ID token is a Base 64 encoded token that is presented to the client to confirm that a user has been authenticated, as well as to pass certain claims about the user. ID tokens were introduced by OpenID Connect (OIDC).

Identity proofing is the process of verifying that a user’s claimed identity matches their actual identity by using information aggregated from public and proprietary data sources. Identity proofing is usually done before providing users with credentials or in parallel with the authentication process.

An identity provider is the entity that authenticates users and passes on authentication and authorization attributes to the service provider.

Identity and Access Management (IAM) is the set of technologies, policies, and processes that enables companies to verify the identities of their stakeholders (employees, customers, partners) and provide them access to applications and protected resources.

An idle session occurs when an authenticated user is no longer actively engaging in their session. During an idle session, no interactions or transactions occur, which might indicate the user has stepped away or is no longer using the system. Managing idle sessions, such as by setting timeouts, is essential for enhancing security by minimizing the risk of unauthorized access and optimizing resource usage.

A JSON Web Token (JWT) (pronounced “jot”) is an industry standard method of securely transmitting claims information between two parties. An ID token is always a JWT according to OpenID Connect. JWTs are usually more compact and easier to process than other tokens.

Just-in-Time access is a security practice where users or devices are authorized to access protected resources on an as-needed basis. Providing temporary (rather than persistent) privileged access reduces the impact of account takeover and attacker intrusions. JIT access is usually a feature provided by Privileged Access Management (PAM) systems.

Keystroke logging is the process of recording every key typed on a user’s device. In an identity context, attackers can use keylogger software to track their victim’s keystrokes without their knowledge and steal knowledge-based credentials like passwords.

Knowledge Based Authentication (KBA) is an authentication method that is used to verify a user’s identity based on something the user knows. Examples of KBA include asking for the user’s personal information (e.g. street address, phone number) and asking security questions (e.g. mother’s maiden name, favorite teacher). Due to the relatively guessable and public nature of this type of information, KBA is not considered a very secure authentication factor, especially when used on its own.

Magic links are URLs with embedded tokens that let users log in without needing a password. These links are mostly delivered to the user’s email account, but can also be sent via SMS and other messaging services. Learn more about magic links.

Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more separate pieces of evidence to verify their identity. For example, the first factor can be an OTP sent to the user’s phone or email, and the second factor can be biometric authentication via fingerprints. Using more than one factor greatly reduces the chance of attackers compromising a user’s account. Learn more about MFA.

Multitenancy is a software architecture where multiple tenants use the same computing resources while keeping their data and business logic separate and secure. Multitenancy is a core component of modern, scalable SaaS and B2B architectures.

OTP stands for one-time password or one-time passcode. It is a dynamically generated set of numbers or letters meant to grant users one-time access to an application. OTPs can be sent to users via SMS, email, messaging services, or mobile push notifications. Alternatively, OTP generators such as hardware keys and mobile authenticator apps can also be used. Learn more about OTP.

OAuth 2.0 is an open, token-based authorization framework that allows users to grant access to their private resources on one application to another application without giving away their identity details. For example, a Twitter user can authorize Medium to access their profile, read their Tweets, or post to their feed without having to give Medium their Twitter credentials. OpenID Connect (OIDC) extends OAuth 2.0 to verify user identity. Learn more about OAuth.

OpenID Connect (OIDC) is an open standard that runs on top of OAuth 2.0. While OAuth is used solely for authorization, OIDC is used for authentication. OIDC allows applications to verify user identity without needing to collect and store any login information.

In password spraying attacks, cybercriminals try a single password on a large number of accounts before moving on to the next password and repeating the process. This method circumvents any account lockout measures in place after repeated login attempts on a single account.

Passwordless authentication is the process of verifying a user’s identity without using a password. One-time passwords, biometrics, magic links, and social logins are some examples of passwordless authentication. Using passwordless mechanisms reduces cognitive load on users and reduces the likelihood of password-based cyberattacks.

A password is a shared knowledge-based secret that verifies the identity of a user during an authentication process. Passwords are the root cause of most identity-related attacks.

Phishing is a cyberattack where scammers send malicious emails to victims in an attempt to steal their credentials, money, or sensitive data. Attackers often use social engineering in phishing attacks by pretending to be an entity that the victim trusts (e.g. their boss, their colleague, a trusted SaaS application).

Progressive profiling is a technique by which application owners can gradually collect data from their users based on product interactions. In an identity context, progressive profiling helps apps onboard users faster without frontloading the collection of personal information.

In the context of Descope, a Project is an abstraction for an application. A Project has authentication methods, Flows, users, and settings such as session management and timeouts that cannot be shared with other Projects. However, you can have more than one Project on Descope at a company level.

Proof Key for Code Exchange (PKCE) is an extension to the OAuth 2.0 protocol that adds an extra layer of security to the authorization code flow. It prevents unauthorized access to user data by generating a dynamic secret key that is used to exchange the authorization code for an access token.

In OAuth 2.0, clients can be classified as either confidential clients or public clients. A public client is a client that is incapable of maintaining the confidentiality of their credentials (e.g. native apps, browser-based apps). Public clients often use the authorization code grant type in OAuth 2.0.

A rainbow table attack attempts to decipher passwords from their hashes by using a specific table called a rainbow table. A rainbow table is a precomputed database containing plaintext permutations of encrypted passwords and their associated hashes.

Refresh tokens are credentials that are used to get new access tokens. If the authorization server issues the client with both an access token and a refresh token, the client can use the refresh token to request a new access token once the initially provided access token expires.

A relying party is a server that handles requests for access to protected resources. A relying party is also called a “claims-based application” since it relies on claims – either made by a user or device, or passed on from an identity provider – about the entity requesting access. Web applications are a type of relying party.

The resource owner is an entity (can be a user or application) that can authorize the client application to access their account or protected resources.

The resource server is a server that hosts protected resources. Once authorization is successful, the resource server grants the client access to the requested resources.

A role is a collection of permissions assigned to a user or entity that determines the level of access they should have to an application or protected resources.

Role-based access control (RBAC) is a mechanism that authorizes users to access protected resources based on their role within an organization. RBAC is a scalable approach to access management that – especially in B2B contexts – is simpler and more secure than assigning permissions on a per-individual basis.

System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains or IT systems. SCIM allows for the dynamic creation, activation, deactivation, updating, or removal of users and groups.

SIM swapping is a form of identity theft where the victim’s phone number is ported over to an attacker-controlled SIM. Attackers are then able to intercept any one-time passwords to take over the victim’s account even if two-factor authentication (2FA) is enabled.

SMS authentication lets users log in to applications by entering a single-use code sent to their phone via text message. It verifies users with a possession-based factor (their mobile phone). SMS authentication is often used in combination with other authentication factors in a 2FA flow.

Scopes help define and limit an application’s level of access. Rather than granting full account access, scopes limit what a client can do after getting access to a user’s resources (e.g. read vs write access, limiting access to sensitive information). In OAuth 2.0, when the client requests authorization from the authorization server, the Scope parameter is used to specify the level of access being requested.

SAML is an XML-based open standard that helps users access multiple web applications with one set of login credentials. It enables two parties – the identity provider and the service provider – to exchange authentication details without needing a password. SAML is the de facto standard for implementing SSO. Learn more about SAML.

A service provider is an application or entity the user wants to access. The service provider receives trusted authentication and authorization attributes from the identity provider before granting the user access.

A session is a sequence of interactions between two devices, usually a client and a server, that happen over a single connection. When a user logs into an application, a new session is created and a session ID is assigned. Sessions keep track of any user-specific parameters that are needed to ensure a good app experience.

In session fixation, attackers take over user accounts by setting their session ID to a string known by the attackers. In practice, session fixation starts by attackers sending users a URL that contains a session ID, usually in a phishing email. When the user clicks the link and logs into the application, the attacker knows the valid session ID and can remotely hijack the session.

Session hijacking is a cyberattack where adversaries impersonate an authenticated user after stealing their session ID. Session hijacking can happen at both the application layer (Layer 7) as well as the network layer (Layer 3). Since a session ID for an authenticated session is considered a very strong authentication method, attackers getting a user’s session ID is as bad as attackers getting a user’s login credentials. Learn more about session hijacking.

A session ID is a long, randomly generated alphanumeric string that is continually transmitted between the server and the client. They are often stored in session cookies, URLs, and hidden forms on the website.

Single sign-on (SSO) is an authentication method where users can securely log in to multiple applications with one set of login credentials. SSO is often used in a business context and helps reduce the need for users to create and remember passwords for every individual application.

Social login is an authentication method where users can log into third-party applications by using existing login information from social networking sites like Google, Facebook, and Twitter. Social login is often implemented using the OAuth framework.

A soft token is a software-based security key that generates single-use login codes used to authenticate users. Soft tokens are usually stored on general-purpose user devices like desktops, laptops, and smartphones. Authenticator apps like Google Authenticator and Authy are examples of soft tokens.

Step-up authentication is a process where the user is asked to provide additional evidence of their identity before being allowed to access certain resources or perform certain actions in an application. It’s generally considered to be a subset of multi-factor authentication (MFA). Learn more about step-up authentication.

For B2B apps, a tenant is your customer (sometimes referred to as an account). A tenant can have one or more users. For example, if your B2B app has three customers, namely Customer1 (with 10 users), Customer2 (with 3 users), and Customer3 (with 50 users), then you have three tenants. Learn more about Descope tenant management.

TOTP is an algorithm used to generate and validate one-time passwords (OTP). It uses a shared secret key and Unix time as inputs to generate the OTP. A TOTP code changes at set time intervals, usually 30 to 90 seconds. TOTP can be implemented in both hardware tokens (physical security key) or software tokens (authenticator apps). Learn more about TOTP.

The token endpoint is the endpoint on the authorization server responsible for generating tokens.

Two-factor authentication (2FA) is an authentication process where the user must present two different forms of credentials before they are allowed to access an app, website, or protected resource. 2FA is a subset of MFA. While MFA can have two or more authentication factors, 2FA requires the use of exactly two authentication factors.

Universal 2nd Factor (U2F) is a protocol hosted by the FIDO Alliance. The FIDO U2F protocol enables applications to provide a strong 2nd factor to augment their existing password-based authentication flows. The user needs to possess a U2F device for this protocol to work as intended. The U2F device can be a dedicated physical device or can be built into the user’s computer or smartphone as software.

Universal Authentication Framework (UAF) is a protocol created by the FIDO Alliance. The FIDO UAF protocol enables applications to offer passwordless and multi-factor login experiences by using local authentication methods on user devices (e.g. fingerprint scans, facial recognition).

A user agent is any software or program acting on behalf of the user. Web browsers and email readers are examples of user agents.

User authentication is the process of verifying a user is who they claim they are. It is usually the first step in a user’s journey with an application.

User authorization is the process of determining what level of access a user has when interacting with an application or resource. Authorization is usually performed after successful authentication.

In an identity context, the user journey refers to every interaction a user has with an application that requires authentication, identity verification, and user management. Account registration, login, account recovery, password reset flows, and monetary transactions are some examples of touchpoints in a user journey.

User management refers to the set of processes and technologies that enables companies to manage accounts, identities, and access controls for their users.

The Web Authentication API (WebAuthn) is an open standard that enables applications to register and authenticate users without needing passwords by using public-key cryptography. Rather than using knowledge-based authentication (i.e. passwords), WebAuthn allows for possession-based and biometric authentication (i.e. registered devices, hardware security keys) to make the user journey more secure and convenient. Learn more about WebAuthn.