Glossary.

AAGUID(Authenticator Attestation Globally Unique Identifier)

A 128-bit identifier that names the make and model of a WebAuthn authenticator, useful for policy decisions about which authenticators to accept.

AAL1(Authenticator Assurance Level 1)

NIST SP 800-63's lowest assurance tier, providing some confidence the user controls the authenticator, typically single-factor password or single OTP.

AAL2(Authenticator Assurance Level 2)

NIST SP 800-63's middle assurance tier, requiring two-factor authentication with at least one phishing-resistant or cryptographic factor in the SP 800-63-4 update.

AAL3(Authenticator Assurance Level 3)

NIST SP 800-63's highest assurance tier, requiring multi-factor authentication with at least one hardware-bound cryptographic key and verifier-impersonation resistance.

ABAC(Attribute-Based Access Control)

An authorization model where access decisions are computed by evaluating policies against attributes of the subject, resource, action, and environment.

Access Token

An OAuth 2.0 credential the client presents to a resource server to access a protected resource, typically a JWT in modern deployments.

Account Linking

Joining two or more authentication identities into a single user account — typically merging a social login (Sign in with Google) with an existing email/password account or with another social provider.

Account Recovery

The flow that re-establishes a user's access to their account when they've lost their credential — and the most-attacked surface in any CIAM deployment.

Adaptive Risk-Based Authentication

Authentication policy that varies the required factors and friction based on risk signals — device, location, behavior, time-of-day, recent breach data — rather than applying a uniform challenge to every login.

Agentic Identity

The identity model for AI agents acting autonomously or on behalf of users — a third category of identity alongside human users and traditional non-human (service) identity, with its own authentication, authorization, and audit patterns.

ATO(Account Takeover)

An attack where a legitimate user's account is compromised and accessed by an unauthorized party, the dominant CIAM threat in 2026.

Attestation

A cryptographic statement from the authenticator about its origin and properties, used by relying parties to verify which authenticator created a credential.

Authentication

The process of verifying that a person, service, or device is who or what it claims to be, typically by presenting a credential the verifier can check.

Authenticator

A hardware or software component that holds the credential and produces the cryptographic proof of authentication on the user's behalf.

Authorization

The process of deciding whether an authenticated principal is allowed to perform a specific action on a specific resource, distinct from authentication.

Authorization Code Flow

The OAuth 2.0 flow where the client receives an intermediate code via browser redirect, then exchanges the code for tokens at the authorization server's token endpoint.

Bearer Token

An access credential where any party that holds (bears) the token can use it to access the protected resource, no further proof of possession required.

Biometric Authentication

Verifying a person's identity by measuring a physical or behavioral trait — fingerprint, face, voice, iris, typing rhythm — that is unique enough and stable enough to distinguish one user from another.

Bot Detection

Distinguishing automated traffic (credential-stuffing bots, scrapers, fake-account creators) from human users at authentication endpoints — typically via behavioral analysis, challenge-response, and threat intelligence.

Brute Force Attack

An attack that tries many credentials against a single account or many accounts to find a match, classically password-guessing, in practice often credential-stuffing.

CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart)

A challenge-response test designed to distinguish humans from automated bots — historically image or audio puzzles, increasingly invisible behavioral scoring that fires only on suspicious traffic.

CIBA(Client Initiated Backchannel Authentication)

An OIDC extension where the client (not the user's browser) initiates authentication, and the user approves on a separate device, common in IVR, call-center, and decoupled flows.

Claims

The pieces of information about an authenticated user that an identity token carries — sub, email, name, roles, custom organizational attributes — each a named assertion the IdP makes about the user.

Client Credentials Flow

An OAuth 2.0 flow for machine-to-machine authentication where the client authenticates with its own credentials, no user involvement.

Conditional UI

The WebAuthn capability (also called Passkey Autofill) where browsers surface available passkeys directly in the username field — letting users sign in by tapping their account rather than typing anything.

Consent Management

The CIAM capability for collecting, recording, presenting, and revoking user consent for data processing — required by GDPR, CCPA, HIPAA, and most modern privacy regimes.

Continuous Authentication

A pattern where authentication is evaluated continuously throughout a session rather than only at session start, with the session degraded or terminated when risk signals deteriorate.

Credential

Any piece of evidence a user, service, or device presents to prove an identity claim — a password, passkey, hardware token, API key, certificate, OTP, or biometric assertion.

Credential Monitoring

Continuous scanning of public breach databases, dark-web forums, and credential dumps for matches against a user's email or password — used to alert users to reset credentials before attackers exploit them.

Credential Stuffing

An automated attack that replays username-password pairs harvested from data breaches against unrelated sites, exploiting password reuse.

CTAP2(Client to Authenticator Protocol 2)

The FIDO Alliance protocol that lets a browser communicate with an external authenticator (USB security key, NFC token, BLE device) to perform WebAuthn operations.

Data Breach

An incident in which personal or sensitive data is exposed to unauthorized parties — whether by attack, accident, or insider — triggering legal notification requirements under GDPR, CCPA, HIPAA, state breach laws, and sectoral rules.

Data Minimization

The privacy principle of collecting and retaining only the personal data strictly necessary for the stated purpose — codified in GDPR Article 5 and similar regimes, and a defense against breach blast radius.

Decentralized Identifier(Decentralized Identifier)

A W3C-standardized identifier (RFC-quality spec since 2022) that doesn't depend on a central authority for issuance or resolution — instead anchored to a verifiable data registry like a blockchain, DLT, or distributed ledger.

Deepfake Attack

An attack on biometric authentication or identity verification using AI-generated synthetic media — a fake video of the target, a synthetic voice, an AI-rendered face — to defeat liveness detection or impersonate the user.

Device Code Flow(Device Authorization Grant)

An OAuth 2.0 flow (RFC 8628) for input-constrained devices, the device displays a code, the user authenticates on a separate device, and the original device polls until authorized.

Device Fingerprinting

Identifying a device across sessions by combining many weak signals (user agent, screen size, fonts, canvas rendering, WebGL parameters) into a high-entropy identifier — used to detect device changes, account-takeover, and fraud.

Digital Identity

The set of attributes, credentials, and relationships that represent a person, organization, or service in a digital system — the thing CIAM platforms exist to manage.

Digital Identity Wallet

A personal app (mobile or web) that holds Verifiable Credentials, DIDs, and cryptographic keys on behalf of the user, used to authenticate to services and present credentials selectively.

Discovery Document

The JSON document an OAuth / OIDC issuer publishes at /.well-known/openid-configuration listing its endpoints, supported algorithms, scopes, and other capabilities — what makes self-configuring OIDC clients possible.

DPoP(Demonstrating Proof of Possession)

An OAuth 2.0 extension (RFC 9449) that binds an access or refresh token to a client-held cryptographic key, defeating bearer-token theft.

Encryption

The reversible transformation of data into ciphertext using a cryptographic key, so the original can be recovered only by a party holding the matching key.

EUDI Wallet(European Digital Identity Wallet)

The EU-mandated digital identity wallet under eIDAS 2.0 (Regulation 2024/1183), to be offered by every EU member state by 2026, holding citizen credentials and accepted across public and private services Union-wide.

FAPI(Financial-grade API)

A hardened OAuth 2.0 / OIDC profile defined by the OpenID Foundation for high-security financial scenarios, Open Banking, payment APIs, fintech.

Federation

An identity pattern where one identity provider authenticates a user on behalf of another, the federated party trusts the upstream IdP's assertion.

Federation Assurance Level(Federation Assurance Level)

NIST SP 800-63C's three-level scale (FAL1, FAL2, FAL3) describing the cryptographic strength of the assertion the IdP sends to the relying party in a federated authentication.

FGA(Fine-Grained Authorization)

An authorization category that permits permissions per individual resource instance, typically implemented via Zanzibar-style ReBAC, supporting billions of objects with sub-millisecond evaluation.

FIDO2(Fast IDentity Online 2)

An open standards bundle from the FIDO Alliance, WebAuthn (the browser API) plus CTAP (the device-to-browser protocol), that powers passkey and hardware-key authentication.

ID Token

An OIDC credential, always a signed JWT, that conveys identity claims about the authenticated user from the authorization server to the client.

Identity Assurance Level(Identity Assurance Level)

NIST SP 800-63A's three-level scale (IAL1, IAL2, IAL3) describing how rigorously the user's claimed real-world identity was proofed before the credential was issued.

Identity Verification(Identity Verification)

The process of proving a person is who they claim to be in the real world — typically combining a government-issued ID, a selfie with liveness check, and verification against authoritative data sources.

IdP(Identity Provider)

The system that authenticates a user and issues identity claims to relying-party applications, typically over SAML or OIDC.

Injection Attack

In the IDV context, an attack that injects pre-rendered synthetic media (a deepfake video, a synthetic face capture) directly into the camera or sensor pipeline at the OS, driver, or virtual-camera level — bypassing the lens entirely.

ITDR(Identity Threat Detection and Response)

A category of security tooling focused on detecting, investigating, and responding to identity-targeted attacks, emerging in 2023 and increasingly distinct from traditional EDR/XDR.

JIT Provisioning(Just-in-Time Provisioning)

A pattern where a SaaS application auto-creates a user record on the user's first SSO login, populated from the SAML or OIDC assertion attributes.

JWE(JSON Web Encryption)

A standard (RFC 7516) for representing encrypted content as a compact, URL-safe JSON object, the encryption counterpart to JWS.

JWKS(JSON Web Key Set)

A JSON document published by an OAuth / OIDC server listing its current public signing keys, used by relying parties to verify JWT signatures without out-of-band key distribution.

JWS(JSON Web Signature)

A standard (RFC 7515) for representing signed content as a compact, URL-safe JSON object, the dominant integrity mechanism for JWTs.

JWT(JSON Web Token)

A compact URL-safe means of representing claims to be transferred between parties, encoded as a signed (JWS) or encrypted (JWE) JSON object per RFC 7519.

Key Derivation Function(Key Derivation Function)

A cryptographic function that transforms a password or low-entropy input into a fixed-length key using a slow, salted, and (ideally) memory-hard process designed to resist brute-force attacks.

Knowledge-Based Authentication(Knowledge-Based Authentication)

Verifying a user by asking questions whose answers only they should know — security questions ("first pet's name"), or dynamic KBA pulled from credit-bureau or public-records data.

KYC(Know Your Customer)

Regulated identity verification that confirms a customer is who they claim to be, required for financial services, healthcare, and many regulated industries.

Liveness Detection

The capability to distinguish a live human present at the camera from a photo, video replay, mask, or deepfake — required for any biometric or IDV flow that resists trivial spoofing.

Magic Link

A passwordless authentication method that emails a single-use, short-lived URL the user clicks to sign in.

MAU(Monthly Active Users)

The metric most commonly used to price CIAM platforms, counting unique users who authenticated in a calendar month (definitions vary by vendor).

MFA(Multi-Factor Authentication)

A security control requiring at least two independent factors from distinct categories (knowledge, possession, inherence) to authenticate a user.

Mobile Driver's License(Mobile Driver's License)

A digital driver's license held in a smartphone wallet, conformant to the ISO/IEC 18013-5 standard, accepted for age verification, identity verification, and increasingly air travel and government services.

mTLS(Mutual TLS)

A TLS variant where both client and server present X.509 certificates to authenticate each other, used for service-to-service auth and high-assurance API access.

NHI(Non-Human Identity)

An identity belonging to a service, machine, agent, or automated process rather than a human, the fastest-growing identity category in 2026.

Nonce

A "number used once" — a value generated by one party and echoed back by another to bind a response to its specific request and defeat replay attacks.

OAuth 2.1

A consolidation of OAuth 2.0 plus the security best-practice RFCs into a single specification, making PKCE mandatory and removing the Implicit and ROPC grants.

OAuth Scope

A string that specifies what permissions the client is requesting on behalf of the user, surfaced as the consent screen's permission list.

OIDC(OpenID Connect)

An identity layer on top of OAuth 2.0 that adds authentication semantics, ID tokens, claims, and standardized identity flows, to the authorization framework.

One-Time Password(One-Time Password)

A short numeric or alphanumeric code valid for a single authentication event, delivered out-of-band (SMS, email, authenticator app) or computed from a shared secret.

PAR(Pushed Authorization Requests)

An OAuth 2.0 extension (RFC 9126) that moves the authorization request from URL parameters to a backend POST, returning a one-time request_uri for the redirect.

Passkey

A user-facing brand name for synced WebAuthn credentials that replace passwords with a phishing-resistant cryptographic key bound to the user's device or cloud password manager.

Password Hashing

The one-way transformation of a password into a fixed-length string using a slow key-derivation function, designed so the original password cannot be recovered from the hash.

Passwordless Authentication

Any authentication scheme that verifies the user without asking for a password — using a passkey, hardware security key, biometric, magic link, or one-time code instead.

Pepper

An application-level secret mixed into every password hash that, unlike a salt, is kept outside the database — so a database breach alone cannot enable offline password cracking.

Phishing

An attack where the user is tricked into entering credentials on a fraudulent site that looks like a legitimate one, usually delivered via email or SMS.

Phishing-Resistant Authentication

An authentication mechanism whose credential cannot be tricked into authenticating to a malicious site — passkeys, FIDO2 hardware keys, and PIV/CAC smart cards qualify; passwords, OTPs, and magic links do not.

PII(Personally Identifiable Information)

Any information that can identify a specific individual, either alone (full name, government ID) or combined with other data (email + birthday + zip code).

PKCE(Proof Key for Code Exchange)

An OAuth 2.0 extension that protects authorization code flows from interception attacks by binding the authorization request to the token exchange via a hash.

Progressive Profiling

The CIAM pattern of collecting user profile data incrementally over the relationship — minimal at signup, more on subsequent visits — instead of demanding everything in a single registration form.

Public-Key Cryptography

A cryptographic system in which each principal holds a mathematically linked key pair — a public key that anyone can use to encrypt or verify, and a private key the holder uses to decrypt or sign.

Push Authentication

An MFA mechanism where the user approves or denies a login request via a push notification on a registered mobile app, eliminating the need to type an OTP code.

Rainbow Table

A precomputed lookup table mapping common passwords to their hashes, used to reverse unsalted password hashes by lookup instead of cracking.

Rate Limiting

Bounding the number of authentication attempts per identifier, IP, or other key per time window — the primary defense against credential-stuffing and brute-force attacks on login endpoints.

RBAC(Role-Based Access Control)

An authorization model where permissions are granted to roles and users are assigned to roles, defined in NIST INCITS 359-2004.

ReBAC(Relationship-Based Access Control)

An authorization model where permissions are computed by traversing a graph of relationships between subjects and resources, popularized by Google's Zanzibar paper.

Refresh Token

A long-lived OAuth 2.0 credential the client uses to obtain new access tokens without re-authenticating the user.

Refresh Token Rotation

The OAuth pattern of issuing a new refresh token (and invalidating the old) on every refresh operation — bounding the replay window for stolen refresh tokens and enabling automatic theft detection.

Relying Party

In federation, the application or service that relies on an identity provider's authentication, your SaaS is the relying party when it federates to Okta or Google.

RP-ID(Relying Party Identifier)

The WebAuthn identifier (typically a registrable domain) that scopes a passkey credential to a specific origin, the most-misconfigured field in passkey deployments.

Salt

A unique random value mixed with a password before hashing so that identical passwords produce different hashes, defeating precomputed lookup attacks like rainbow tables.

SAML(Security Assertion Markup Language)

An XML-based open standard for exchanging authentication and authorization data between identity providers and service providers, dominant in enterprise SSO install base.

SAML Metadata

An XML document that describes a SAML entity (IdP or SP), its entity ID, public certificate, supported endpoints, and binding preferences.

SCIM(System for Cross-domain Identity Management)

A REST-and-JSON standard for automated user provisioning and deprovisioning between identity providers and applications, defined by RFC 7644.

Selective Disclosure

A cryptographic capability that lets the holder of a credential reveal only specific fields to a verifier — proving age over 21 without revealing date of birth, name, or address.

Self-Sovereign Identity(Self-Sovereign Identity)

An identity model where the user holds their credentials in a personal wallet and controls when and how they're shared — without dependence on any single issuer or platform for ongoing access.

Sender-Constrained Token

An OAuth access or refresh token bound to a specific client via a cryptographic key — useless if stolen without the corresponding key. Implemented via mTLS (RFC 8705) or DPoP (RFC 9449).

Service Provider(SP)

In SAML federation, the application that consumes authentication assertions from an identity provider, the SAML term for what OIDC calls the relying party.

Session

The state representing an authenticated user's current interaction with an application, typically backed by a token (cookie, JWT, or opaque session ID).

Single Logout(Single Logout)

The federation protocol mechanism that propagates a logout request from one application to the IdP and on to every other application sharing the SSO session — terminating all sessions in one user action.

Social Login

Federation to consumer-grade identity providers (Google, Apple, Facebook, Microsoft, GitHub) that lets users sign in with an existing account rather than creating a new password.

SSO(Single Sign-On)

An authentication pattern where a user signs in once at an identity provider and that authentication grants access to multiple applications without re-authenticating at each.

Step-up Authentication

A pattern where the application requires additional authentication factors when the user attempts a sensitive operation (transfers, payment changes, factor reset).

Synthetic Identity Fraud

A fraud pattern that constructs new "identities" by combining real and fabricated data — typically a real Social Security Number (often a child's, before credit history exists) with a fake name, fake birthdate, fake address — to build credit and commit fraud at scale.

Token Binding

A defunct IETF standard (RFC 8471-8473) for binding HTTP authentication tokens to the TLS connection that issued them — superseded in practice by mTLS-bound tokens (RFC 8705) and DPoP (RFC 9449).

TOTP(Time-Based One-Time Password)

A six-or-eight-digit code generated by an authenticator app that rotates every 30 seconds, derived from a shared secret and the current time per RFC 6238.

Two-Factor Authentication(Two-Factor Authentication)

An authentication scheme requiring exactly two independent factors — typically something the user knows (password) plus something they have (phone, security key) or are (biometric).

Universal Login

A hosted login experience served by the CIAM platform at a centralized URL (often a tenant-specific subdomain), used by multiple applications instead of each embedding its own login form.

User Directory

The persistent store of user accounts, credentials, profile attributes, and access state that underlies any CIAM platform — sometimes the CIAM's built-in database, sometimes an external directory (LDAP, AD) the CIAM federates against.

Userinfo Endpoint

The OIDC HTTP endpoint a client calls with an access token to retrieve standardized user profile claims — separate from the ID Token, used for on-demand profile data fetching.

Verifiable Credential(Verifiable Credential)

A W3C-standardized digital credential cryptographically signed by an issuer, held by a subject, and verifiable by a verifier — the privacy-preserving alternative to phoning back to the issuer for every check.

Verifier Impersonation Resistance

The property of an authenticator that prevents an attacker impersonating the legitimate verifier (the RP, the website) from extracting a usable credential or replay artifact from the user.

WebAuthn(Web Authentication)

A W3C standard browser API for public-key cryptographic authentication, the foundation of FIDO2 passkeys.

Zanzibar

Google's globally consistent authorization system, described in a 2019 paper that became the architectural template for modern ReBAC and FGA implementations.

Zero Trust

A security architecture model that assumes no implicit trust based on network location and verifies every request against identity, device posture, and policy — "never trust, always verify."