Keeper IAM Glossary

A list of permissions specifying which users or systems are granted or denied access to a particular system resource, along with what operations they can perform on those resources.

The process by which IT administrators grant and restrict user access to specific systems and data. Typically, this is accomplished by setting up groups for job roles, departments, and/or project teams, then assigning users to the appropriate groups. Works in conjunction with identity management.

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Originally, AD was used only for centralized domain management, but it's now an umbrella term referring to a wide range of directory-based identity services. It allows organizations to manage multiple on-premises infrastructure components and systems using a single identity per user. Not to be confused with Azure Active Directory, which is a tool used in conjunction with AD.

Because an organization’s Active Directory controls all system access, effective Active Directory security is crucial to securing the entire data environment.

A tool complementary to Active Directory (AD) that extends on-prem identities to cloud applications; similar to a web application SSO tool, but used on-prem instead of in the cloud. Like Azure AD, AD FS is not a replacement for Active Directory, but a tool used in conjunction with it.

Also known as adaptive authentication or risk-based authentication. A method by which login parameters are dynamically adjusted according to the risk a particular access request poses. For example, a user logging into a service on a device they use all the time may need only provide a password, but if they attempt to log in from a new device, or even a new browser, they may be required to also answer security questions or provide a one-time access code.

A set of definitions and protocols that allows different software applications to talk to each other. For example, weather apps use APIs from government weather bureaus to display weather data. Most modern websites and apps use at least some third-party APIs.

There are four different types of APIs:

Public APIs can be used by anyone, although some public APIs require prior authorization and/or use fees.

Private APIs are just that: private. They’re internal to an organization and used only within the business.

Partner APIs are similar to private APIs. They can be used only by authorized external business partners to facilitate business-to-business applications and transactions.

Composite APIs are a combination of two or more API types.

A unique identifier used to authenticate a user, developer, or application to an API. Typically includes a set of access rights on the API.

Ensuring that a user is who they claim to be. See Identity Management.

Ensuring that a user is authorized to access specific systems and data. See Access Management.

The tools and methods to securely store, access and manage infrastructure secrets in an IT environment, such as API keys, digital certificates and privileged account credentials. Also known as application to application password management (AAPM).

An Identity as a Service (IDaaS) solution that organizations can use for all their apps across their data environment, both cloud and on-premises. Azure Active Directory (Azure AD) is not a replacement for Active Directory; instead, it is used in conjunction with AD.

A person’s unique physical characteristics, such as fingerprints, iris scans, and facial recognition, that are used for user authentication and access control.

An automated attack where a threat actor uses a script to submit a very large number of passwords or passphrases, systematically checking all possible combinations until a working set of credentials are found.

Business process automation (BPA) refers to software that automates repetitive or manual tasks to enhance organizational efficiency. Examples of BPA include automated responses to customer actions, such as order confirmations and self-service password reset (SSPR).

A legacy IAM framework wherein all users inside a defined network perimeter are implicitly trusted, while those outside are not. Cloud computing, mobility, and widespread remote access have rendered castle and moat obsolete and it has been deprecated in favor of zero trust.

A key component of the FIDO2 set of specifications, Client to Authenticator Protocol (CTAP) enables an external authenticator, such as a smartphone or security key, to work with browsers that support WebAuthn and act as an authenticator to web services and desktop apps.

Also known as cloud security. An umbrella term encompassing the policies, procedures, controls and tools used to protect data, applications and services that are stored and used in the cloud, along with the underlying cloud infrastructure.

Typically, public cloud services operate under a shared responsibility model, where the cloud services provider is responsible for security *of* the cloud, while the organization buying the services is responsible for security *in* the cloud. This means that the cloud services provider secures the underlying infrastructure, including physical data centers and all the servers and equipment within them, while the organization secures the data and workloads they put into their cloud deployment.

A cloud-based service that offers IAM solutions to other cloud-based services.

A process by which a system monitors user behavior during a session, comparing it against a baseline, looking for anomalies and requiring the user to re-authenticate if anomalous behavior is detected.

An attack that takes advantage of the fact that many people use the same login credentials on multiple accounts. In a credential stuffing attack, once threat actors successfully obtain a set of working login credentials from one site, they attempt to use them on as many sites as possible.

The process by which organizations manage customer identities and access levels. Essentially a subtype of IAM that refers only to customers, as opposed to internal users or business partners.

Defense-in-Depth (DiD) is a multi-layered approach to cybersecurity, with each layer focused on a different type of security, to create comprehensive and robust defenses against cyber threats. The idea is that if one layer fails, the next one still stands in a threat actor’s way. Among the most common elements in a DiD strategy are antivirus software, network security tools and controls, IAM solutions and data loss prevention solutions.

The process of removing user access to entire systems or individual apps. An employee departing a company is deprovisioned from the entire system; an employee transferring to another location or department would be deprovisioned from that location or department's systems.

DevOps security, also called DevSecOps, is an application security practice that seeks to “shift security left,” meaning introducing it as early as possible within the software development life cycle (SDLC) with the goal of building secure applications. Further, like DevOps, DevSecOps breaks down organizational silos, enhancing communication and collaboration between development, operations and security teams throughout the SDLC.

Sometimes called endpoint threat detection and response (ETDR), an EDR solution is an integrated endpoint security tool that combines real-time continuous monitoring and endpoint data collection with rules-based automated response and analysis. An EDR solution monitors all endpoint activity, analyzes it to identify threat patterns, automatically responds to remove or contain identified threats, and provides notifications to human security personnel. The goals of an EDR system are to identify threats in real-time, automatically mitigate or contain them if possible and facilitate rapid response by human personnel.

Endpoint privilege management combines application control with least-privilege access to ensure that users are running only trusted applications with the lowest possible privilege.

Historically, network access within an organization was split into two broad categories: standard users and administrators. This is woefully insufficient to protect against credential-related cyber attacks in today’s highly complex, distributed data environments. Endpoint privilege management governs user access levels so that administrative privileges are granted to as few users as possible. In addition to protecting against insider threats, endpoint privilege management limits the ability of external threat actors to move laterally within the network should they manage to compromise a set of working user credentials.

An endpoint protection platform (EPP) is an integrated solution that detects malicious activity on endpoint devices and protects them from unauthorized access, phishing and file-based malware attacks. Modern EPPs are usually cloud-based, and some include a personal firewall, data protection and data loss prevention features, device control, and integration with vulnerability, patch and configuration management solutions.

An enterprise password manager (EPM) is a password management platform that is specifically designed for commercial use. An EPM is a fundamental part of any organization’s security and IAM stacks.

EPMs do everything that consumer password managers do, such as automatically generating strong passwords and providing users with a secure digital vault that they can use to store and access their passwords from multiple devices. However, they also include a wealth of features that are specific to organizations, such as an administrative panel that IT and security staff can use to provision and deprovision user accounts; monitor and control password use across the organization; set up role-based access controls (RBAC) and least-privilege access; run audit reports and manage shared passwords.

Additionally, some EPMs offer solutions that are specifically tailored to meet the needs of managed service providers (such as KeeperMSP) and U.S. government agencies (such as Keeper Security Government Cloud, aka KSGC).

Federated Identity Management (FIM) is an authentication method by which multiple software systems share identity data from a larger centralized system, therefore allowing users to access multiple apps and systems with a single set of login credentials. While federated identity management is often used synonymously with SSO, FIM enables access to systems and apps across domains (known as “federated organizations”), while SSO enables access within a single domain.

Organizations frequently use both SSO and FIM.

An open industry association with a stated mission to promote “authentication standards to help reduce the world’s over-reliance on passwords.

A joint effort of the FIDO Alliance and the World Wide Web Consortium (W3C) that seeks to enable users to leverage common devices, such as smartphones and hardware security tokens, to authenticate to online services in both desktop and mobile environments. Based heavily upon the U2F authentication standard, FIDO2 consists of the WebAuthn set of standards and the FIDO Client to Authenticator Protocol (CTAP).

Identity and Access Management (IAM) is an umbrella term encompassing the policies, procedures, controls and technological tools that organizations use to manage end users’ digital identities and control access to organizational networks, applications and data. IAM is a fundamental part of defense-in-depth (DiD).

Privileged Access Management (PAM), privileged session management (PSM), identity governance and administration (IGA), and customer identity and access management (CIAM) are all subcategories of IAM.

Identity as a Service (IDaaS) is a cloud-based authentication solution. Sometimes called SaaS-delivered IAM (Gartner) or IAM-as-a-Service (IaaS). IDaaS is an umbrella term referring to a wide variety of SaaS solutions for IAM, from SSO platforms to password managers.

Identity Governance and Administration (IGA) is a subcategory of IAM that refers to the policies and technological tools that allow organizations to ensure that their IAM policies are consistent and universally enforced throughout the data environment. IGA tools allow organizations to more effectively manage digital identities and mitigate identity-related access risks by automating the creation, management, and certification of user accounts, roles and access rights.

While IGA and IAM are sometimes used interchangeably, IGA is different from IAM in that, as Gartner puts it, IGA “allows organizations to not only define and enforce IAM policy, but also connect IAM functions to meet audit and compliance requirements.

Identity lifecycle management (ILM) is a subcategory of IAM that refers to the policies, procedures and technological tools to create digital identities and their associated permissions, manage and update them throughout their lifecycle, and delete them when they are no longer needed. The digital identity can belong to a human user, including an employee, a contractor, a vendor, a business partner or an application.

User privileges evolve over time. If an employee is promoted or takes on additional job duties, their network privileges may need to be adjusted. When employees leave the organization, their access must be revoked immediately. These are situations where ILM comes into play.

The process by which systems determine that users are who they claim to be. Examples include user names and passwords, as well as multi-factor authentication. Works in conjunction with access management.

An Identity Provider (IdP) is a service that stores and manages user identities. An IdP may check users against a stored list of user name and password combinations, or they may provide a list of user identities that another provider checks. SSO providers are IdPs.

JSON Web Token (JWT) is an open standard used to share security information between clients and servers. JWTs are signed either using a private secret or a public/private key, so that claims cannot be altered after the token is issued.

Just-in-time access, also known as JIT access, is a Privileged Access Management (PAM) practice where human and non-human user privileges are elevated in real-time and session length is limited to a predetermined time. This ensures that the human user or application can access a privileged application or system only when they need it, and then only for a certain period of time.

An open-source network authentication protocol that uses symmetric-key cryptography to authenticate requests between trusted hosts communicating across an untrusted network, such as the internet. Kerberos is the default authorization protocol in Microsoft Windows and a core component of Windows Active Directory. Support for Kerberos is built into all major operating systems. It is used extensively in large SSO deployments, where it supports multiple authentication methods.

A security best practice wherein human users and applications have the absolute minimum level of systems access they need to perform their tasks and no more.

Lightweight Directory Access Protocol (LDAP) is an open application protocol standard for accessing and maintaining distributed directory information services over an IP network. LDAP is commonly used as a single source of truth for usernames and passwords; applications can connect to the LDAP server and automatically add and delete users as employees onboard and leave an organization. LDAP is used as the basis for Microsoft Active Directory.

Also see SCIM, an LDAP alternative that is rapidly growing in popularity.

Machine identity management (MIM) governs the digital identities of non-human users, meaning the digital certificates and keys used by hardware devices (including IoT devices), workloads, applications, containers, etc. MIM is a subset of both IAM and secrets management.

Malicious software, more commonly known as malware, is exactly what its name implies – a form of malicious software that infects devices through various techniques, such as through victims clicking on phishing emails or downloading malicious files like games, movies or software.

A master password, sometimes abbreviated MP, is the password that end users create during the installation and setup of a password manager such as Keeper. A user’s master password is the only password they must remember. Because it is their key to their digital password vault, it is critical that it is strong and unique and that the user never loses or forgets it. For this reason, a passphrase is a good way to create a master password.

Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) are authentication methods that requires users to provide two or more authentication factors to gain access to a resource, such as an app, a folder or a system. To “qualify” as 2FA/MFA, each verification factor must come from a different verification category, as follows:

Something you know - Such as a password or a PIN.

Something you have - Such as a security key or a card.

Something you are - Biometrics, such as a fingerprint or an iris scan.

Somewhere you are - Your IP address and geolocation. Not used as often.

An ATM is an example of MFA, because users must insert a card (something they have) and enter a PIN (something they know).

2FA and MFA are essentially synonyms, with the only difference being that 2FA requires only 2 authentication factors, such as in the ATM example, while MFA can theoretically require 3 or more (such as a smart card, a PIN and a fingerprint).

An open standard for delegating access to user information in web applications and on websites. Used by companies such as Amazon, Google, Facebook, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites without having to give those third parties their passwords.

A One-Time Password (OTP) or Time-Based One-Time Password (TOTP) is an automatically generated string of characters that authenticates a user for a single transaction or login session. OTPs can be delivered via email, SMS or through an authenticator app. Frequently used as an authentication factor for 2FA/MFA.

A TOTP is like an OTP except that it is only valid for a short period of time, typically 30-60 seconds.

OpenID Connect (OIDC) is a RESTful authentication system built atop the OAuth 2.0 framework that uses JSON web tokens. Allows third-party apps to verify user identities and obtain basic user profile information, enabling single sign-on across multiple applications.

In a pass-the-hash (PtH) attack, a threat actor steals a hashed password and, without cracking it, attempts to use it to trick a system into creating a new authenticated user session. Pass-the-hash is typically used to move laterally within a network that has already been compromised. Windows machines are particularly susceptible to pass-the-hash due to A vulnerability in New Technology Local Area Network Manager (NTLM) hashes that allows threat actors to leverage compromised domain accounts with only the password hash, without ever needing the actual password.

A passphrase is an easy way for users to create a strong, unique password. For this reason, passphrases are frequently used to create master passwords.

To create a passphrase, a user needs to make up a sentence or a phrase that includes a combination of upper and lower case letters, numerals and special characters and punctuation.

Example of unacceptable passphrase: “My first apartment was in Alexandria, Virginia.” This generates the password MfawiAV – which is rather short (only 7 characters) and does not include any special characters or numbers. A threat actor using an automated password cracker could figure out this password rather quickly.

Example of acceptable passphrase: “My first apartment was at 2630 Hegal Place #42 Alexandria, Virginia 23242.” This generates the password Mfawa2630HP#42AV23242, which is 21 characters long and includes both upper and lower case letters, numerals, and a special character. Even an automated password cracker would need decades to crack this password!

A brute force attack that takes advantage of the fact that many passwords are quite “popular” among users. For example, many people use the keyboard pattern “qwerty” or simply the word “password.” A password spraying attack takes a list of “popular” passwords and tries them in combination with every user name in the system.

A method of verifying a user’s identity without using a password, via means such as biometrics, security keys, or one-time passwords (OTPs).

Also called super user privilege management (SUPM), Privilege Elevation and Delegation Management (PEDM) is a subset of PAM that provides non-administrative users with temporary access to privileged systems based on specific limitations. For example, a user may be granted access to a particular application for only a specified period of time. After the session limit expires, the user’s access rights are automatically revoked.

PEDM solutions enable organizations to leverage just-in-time access to reduce the number of users with administrative privileges.

Privileged access governance (PAG) applies IAM rules to privileged users, ensuring that even privileged user access follows the principle of least privilege. Processes associated with PAG include automated account provisioning and deprovisioning, a formal approval process for granting new privileged access and periodic reviews of privileged accounts to ensure that access levels are still appropriate.

Privileged Access Management (PAM) refers to the tools and technology organizations use to secure, control and monitor access to their most critical information and resources, such as local and domain administrative accounts.

Sometimes called PAM-as-a-Service, Privileged Access Management as a Service (PAMaaS) is a cloud-based Privileged Access Management solution.

A privileged access workstation (PAW), sometimes called a Secure Access Workstation (SAW), is a hardened workstation designed specifically and solely for executing highly privileged tasks. PAWs are configured with security controls and policies that restrict local administrative access and block email, office productivity tools and web browsing; they are equipped with only the tools that are absolutely necessary to perform highly privileged tasks. This blocks the most common vectors for phishing attacks (email and web browsing), dramatically reducing the risk that the PAW will be compromised.

A privileged account has much higher network access levels than standard user accounts. For example, privileged accounts may be able to provision and deprovision users, change user access levels or modify system or application configurations.

Privileged accounts are often called admin accounts, but not all privileged accounts are used by humans. Service accounts, which are used by applications, are privileged accounts.

Additionally, the term “privileged account” may refer to a high-level non-technical user, such as a CEO or CFO, who has access to extremely sensitive data, such as classified government files, medical records or an organization’s financial information.

Privileged account and session management (PASM) is a part of privileged access management (PAM) and it provides organizations with a way to secure, control and monitor privileged user accounts. It enables IT teams to have strong governance over critical administrative user sessions.

Privileged Identity Management (PIM) works in tandem with PAM. While PAM refers to the policies and technical solutions to manage privileged user accounts, PIM involves managing which resources privileged users can access. PIM allows organizations to control, manage and monitor privileged users’ access permissions to specific data and systems.

Privileged session management (PSM) works in tandem with Privileged Access Management (PAM) to secure access to an organization’s most sensitive and critical systems and data. While PAM focuses on securing privileged user credentials, PSM is all about controlling, monitoring and recording privileged sessions, meaning what actions privileged users take once they log into the network.

In addition to preventing privileged users from abusing their access, PSM enables organizations to meet compliance regulations such as SOX, HIPAA, PCI DSS, ICS CERT, GLBA, FDCC and FISMA, which require privileged activity to be logged and monitored.

Privileged user management (PUM) is sometimes used as a synonym of Privileged Access Management (PAM) and privileged identity management (PIM). However, there are key differences. Unlike PAM accounts, PUM accounts are typically shared, and they do not use 2FA/MFA; users access PUM accounts with just a password. For this reason, PUM accounts should be avoided.

The process of establishing user access to entire systems or individual apps. A new hire is provisioned to all the systems and apps they’ll need to perform their job; an employee taking on additional job responsibilities may need to be provisioned to additional apps and systems.

Also known as public key encryption or asymmetric encryption. A method of encrypting data that uses two keys, a public key, which is available for anyone to use, and a private key. Data encrypted with the public key can only be decrypted with the private key, and vice versa.

PWN is hacker slang that originated in the online gaming community as a misspelling of “owned.” (This is why PWN is pronounced like “own,” not “pawn.”) It means to conquer or to dominate – such as by successfully breaching an account or a network.

Remote Authentication Dial-In User Service (RADIUS) is a client-server protocol that enables centralized authentication, authorization, and accounting management for remote and wireless network access. RADIUS runs on the application layer and enables organizations to maintain user profiles in a central repository shared by all remote servers.

Remote Desktop Protocol (RDP) is a proprietary network communications protocol developed by Microsoft, RDP enables secure remote access to workstations and servers. RDP can be used by non-technical end users to remotely access their workstations, as well as by IT administrators and DevOps teams to remotely perform system maintenance and diagnose and repair problems. Using a graphical user interface, remote users can open applications and edit files the same way they would if they were sitting in front of the remote machine.

In addition to Windows, RDP clients are available for Mac OS, Linux/Unix, Google Android and Apple iOS. Open-source versions of RDP software are available.

Representational State Transfer. A modern, stateless, highly flexible API that defines a set of functions, such as GET, PUT and DELETE, that clients can use to access server data. Clients and servers exchange data using HTTP.

Similar to business process automation (BPA), robotic process automation (RPA) refers to software that automates manual and repetitive work. However, unlike BPA solutions, RPA makes heavier use of artificial intelligence and machine learning so that bots can mimic human users and adapt to dynamic circumstances. For example, while BPA is used to email a canned response to a customer (such as an order or shipping confirmation), RPA is used to build interactive chatbots that can analyze customer queries in real-time.

Role-Based Access Control (RBAC), also known as role-based security, is an access control model where a user’s role within an organization determines which network resources they may access. The goal of RBAC is to ensure that users cannot access systems and data that are unrelated to their job functions, enhancing compliance, preventing data leakage and in the event that a user’s credentials are compromised, hampering the ability of a threat actor to move laterally within the network. Works in tandem with least-privilege access.

Security Assertion Markup Language. An open standard for exchanging authentication and authorization data between parties. Typically used by SSO identity providers to communicate with service providers, allowing SSO to be extended across security domains and making web-browser single sign-on possible.

In an IT environment, a secret is any compact datum that must remain confidential. Typically used by non-humans for authentication to highly privileged systems and data. Examples of IT secrets include RDP credentials, SSH keys, API keys and privileged account credentials.

The tools and methods to securely store, access and manage infrastructure secrets in an IT environment, such as API keys, digital certificates and privileged account credentials. Also known as application to application password management (AAPM).

Secure Shell Protocol (SSH) is a cryptographic network protocol that allows two computers to communicate securely. SSH was developed as a secure alternative to Telnet and unsecured Unix remote shell protocols, which transmit data (including passwords) in plaintext. SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, and it encrypts all communications between the two computers. The most common uses of SSH are remote login and command-line execution.

Security as a Service (SaaS / SecaaS) is a business model where organizations outsource cybersecurity solutions and services instead of using in-house resources. SecaaS can be as minimal as deploying a managed cloud-based PAM or IAM platform or as extensive as outsourcing all of an organization’s security functions.

A security information and event management (SIEM) system is a software platform that aggregates security data from across an organization’s data environment, analyzes it and notifies human security personnel of potential threats. SIEMs collect and analyze data from both hardware and applications, including network devices, servers and domain controllers.

A physical or logical device leveraged by an end user to prove their identity and access a digital resource. Security tokens can be used in addition to passwords, as an 2FA/MFA authentication factor or in place of passwords in a passwordless authentication setup.

Physical security tokens include keycards or security keys (like YubiKey). Digital security tokens include OTPs/TOTPs generated by authentication apps.

Self-Service Password Reset (SSPR) is a business process automation feature that enables users to reset their passwords without having to interact with human IT staff, saving time for both end users and help desk staff. SSPR is typically used to reset lost, forgotten or expired passwords.

A special type of privileged account used by non-human users, particularly applications. Common uses for service accounts include running workloads on virtual machine (VM) instances, running workloads on on-premises workstations or data centers that call APIs and other automated processes.

Human users aren’t directly involved with the creation or use of service accounts. Typically, they’re created and configured by the package manager during software installation, and an application assumes the identity of a service account to call an API or run other processes. This automation saves IT teams time, but like other privileged accounts, service accounts pose major cybersecurity risks and they must be tightly managed and controlled.

A passkey is a modern passwordless authentication technology that allows users to log into accounts and apps using a cryptographic key instead of a password. A passkey leverages biometrics (fingerprint, face recognition, etc.) to confirm the user's identity.

A subset of secrets management, service account governance (SAG) refers to the policies, procedures and technological tools used to secure and manage service accounts, including provisioning and deprovisioning, password management and dependency management.

Shared account password management (SAPM) is similar to privileged user management (PUM). It refers to the management of shared privileged accounts – something that organizations should take pains to avoid, since privileged accounts must be tightly managed and monitored for both security and compliance purposes.

Single Sign-On (SSO) is an authentication method by which users can leverage a single set of credentials to access multiple apps and systems. While SSO is often used synonymously with federated identity management (FIM), SSO enables access within a single domain, while federated identity management enables access to systems and apps across domains.

Example of SSO: Employees use one set of credentials to access their work email, HR portal and other internal resources.

Example of FIM: Employees use one set of credentials to access third-party applications, such as video conferencing apps and ticketing systems.

SSO and FIM are frequently used in conjunction with each other.

An older API that’s fallen out of use in favor of more flexible options like REST. Uses Simple Object Access Protocol, with clients and servers exchanging messages using XML.

Gartner defines software change and configuration management (SCCM) as tools that are used to manage and control software versioning and configurations. Gartner also considers solutions for “development change management, defect tracking, change automation, development release management, integrated test management, integrated build management and other related processes” to be part of SCCM.

System for Cross-Domain Identity Management (SCIM) is an open standard for automating user provisioning and deprovisioning. SCIM enables the exchange of user identity information between identity domains or IT systems via a standardized API through REST, with data formatted in JSON or XML. Organizations use SCIM to automatically add and delete users from third-party platforms, such as office productivity suites, CRMs and ticketing systems, as employees onboard and leave.

As organizations adopt more SaaS solutions, SCIM is rapidly growing in popularity as an alternative to LDAP. Major identity providers, including Azure Active Directory, support SCIM, as do many popular SaaS platforms, including Microsoft Office and Google Workspace.

Transport Layer Security (TLS) and SSL (Secure Socket Layers) are cryptographic protocols that encrypt data and authenticate connections when transferring data over the internet.

TLS evolved from SSL; the TLS protocol was originally supposed to be called SSL 3.0. The name was changed before publication to disassociate it with Netscape, the now-defunct company that created SSL. While the terms TLS and SSL are often used interchangeably, SSL is no longer used, because it contained security vulnerabilities that TLS was developed to fix.

A method by which users can authenticate to an application using a signed cookie containing session state information. Token-based authentication is generally used in conjunction with other authentication methods. In this scenario, another method will be used for initial identity authentication, and token-based authentication is used for re-authentication when a user returns to a website or application.

Universal Authentication Framework (UAF) is an open standard developed by the FIDO Alliance with the goal of enabling passwordless authentication as a primary, as opposed to a secondary, authentication factor.

Universal Second Factor (U2F) is an open standard that uses hardware security tokens, connected via USB or near-field communication (NFC), as additional factors in 2FA/MFA. Initially developed by Google and Yubico, with contribution from NXP Semiconductors, the U2F standard is now hosted by the FIDO Alliance. It was succeeded by the FIDO2 Project.

User Account Control (UAC) is a mandatory access control enforcement feature included in Microsoft Windows systems. UAC helps mitigate the impact of malware by preventing human users, applications and malware from making unauthorized changes to the operating system. It works by forcing every app that requires an administrator access token to prompt for consent before running certain processes, such as installing new software.

User and entity behavior analytics (UEBA) leverages artificial intelligence and machine learning algorithms to create behavioral baselines for human users, routers, servers and endpoints in an organizational network, then monitors for deviations from that baseline. A common example of UEBA in action is when a credit card company temporarily freezes a customer’s account because the algorithm has noticed a dramatic change in user behavior, such as a customer suddenly placing multiple, very large orders.

Vendor Privileged Access Management (VPAM) is a subset of PAM dealing with vendors who need access to sensitive systems; for example, a third-party developer, security vendor or payroll company. VPAM solutions ensure that privileged vendor access follows the same restrictions as the organization’s PAM accounts, such as least-privilege, just-in-time access and session recording/monitoring.

Virtual Network Computing (VNC) is a cross-platform screen sharing system used to remotely control desktops from another computer. Using VNC, a remote user can use a computer's screen, keyboard and mouse as though they were sitting right in front of it.

VNC works on a client/server model, which requires installing a server component on the remote machine being accessed, and a VNC viewer, or client, on the device you’re accessing the remote machine from. VNC utilizes the Remote Framebuffer (RFB) protocol to govern the format of the data passing between the client and server.

VNC is similar to RDP, but VNC works across multiple operating systems and connects directly to the remote computer as opposed to going through a server.

Web access management (WAM) was a predecessor of IAM that was common in the 1990s and early 2000s. WAM solutions provided control and governance over user access to web resources that were hosted on-premises in enterprise data centers. Because WAM tools failed to adapt to the advent of cloud computing, mobility, APIs and remote access, they were replaced by more robust IAM solutions.

WebAuthn (Web Authentication) is a web-based API published by the World Wide Web Consortium (W3C) and a key component of the FIDO2 set of specifications, WebAuthn allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms.

eXtensible Access Control Markup Language. A structured language leveraged by IAM solutions that support attribute-based access control (ABAC), policy-based access control (PBAC) and other highly complex authorization mechanisms that grant access rights according to a set of granular user attributes that work together.

Zero knowledge is a security model that utilizes a unique encryption and data segregation framework that protects against remote data breaches by ensuring that IT service providers that have no knowledge of the customer data stored on their servers.

In a zero-knowledge environment, data is encrypted and decrypted on the device level, not on the server. The server never receives or stores data in plain text, and the IT service provider cannot access customer encryption keys. As a result, no one except for the customer can access unencrypted data – not even the IT service provider’s own employees.

Keeper Security is a zero-knowledge security provider. Data is encrypted on the user's device before it is transmitted and stored in Keeper’s digital vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device. Keeper cannot access our customers’ master passwords, nor can we access customers' encryption keys to decrypt their data.

A modern IAM framework that assumes that all users and devices could potentially be compromised, and everyone, human or machine, must be verified before they can access the network, and must have least-privilege access to network resources.

Zero Trust Network Access (ZTNA) is a network security framework that focuses on maintaining strict access controls and authentication mechanisms, regardless of whether a user or device is located inside or outside the network perimeter.

Discoverable credentials, also known as resident keys, enable the WebAuthn API to offer high-assurance MFA with a passwordless login experience.

In a "traditional" authentication setup, the user’s credentials are stored on the relying party’s server. This makes it necessary for the server to return the credentials to the authenticator before the authenticator can decrypt and use them. Further, the user must enter a username, and usually a password, to verify their identity.

In a discoverable credential setup, the user’s private key and associated metadata are stored on the authenticator instead of the relying party’s server. During the initial registration process, the relying party’s server generates a user handle containing a unique identifier. This user handle, along with the private key, are stored on the authenticator.

Then, during the authentication process, the authenticator returns the user handle, allowing the server to look up the associated user, instead of the user having to enter their username to log in. If the authenticator also supports PIN or biometric verification, the relying party gets high assurance MFA in a single login step, without any passwords being transmitted.

Attestation refers to evidence or proof of something. The FIDO 2.0 set of security specifications use attestation to provide cryptographic proof of the authenticator model to the relying party, from which the relying party can then derive the authenticator’s security characteristics.

In FIDO 2.0, attestation statements are bound to contextual data. Data is observed and added as a signature request passes from the server to the authenticator. To verify a signature, the server checks the data it receives against expected values.

In the context of FIDO 2.0, a relying party is a website or any other entity that uses the FIDO protocol to authenticate users directly.

In cases where FIDO is combined with federated identity management protocols, such as SAML and OpenID Connect, the identity provider is also a FIDO relying party.