Active Directory (AD) / Active Directory Federation Service (ADFS)
Active Directory is a scalable, hierarchical directory service for centralized management of all resources relevant to the network. The AD uses stored usernames and passwords to manage and secure access to computers within a domain. The ADFS builds on this functionality to authenticate the user against third-party systems.
API / Programming Interface
API stands for Application Programmer Interface. The API is an important interface for programmers between the device (hardware) to be programmed and the software. It therefore connects software and hardware components, such as applications, hard disks or user interfaces, and makes software readable for various components.
Authentication is the process of logging in to a system, which identifies and verifies the identity of the user. In the simplest case, this is done via username and password.
Validating the identity of a user, or authenticating a user can be done in various ways – These are referred to as Authentication methods and the most common authentication methods that cidaas supports include conventional (userID/password) authentication, authentication using biometric factors such as Face, Fingerprint & Voice, pattern based authentication, Smartpush, TOTP, Back up codes, FIDO-U2F, Email, SMS and IVR based authentication.
An IAM module that provides its specific authentication methods and authenticates the user by checking the corresponding attributes, thus authenticating the user.
The authorization is the granting of special rights - for example at the end of a registration process. Even if the identification of a person has been successful, it does not automatically mean that that person may use the services provided. This is decided by the authorization i. e. the access rights.
In case you have misplaced your authentication device (e.g. mobile phone) and cannot receive codes via SMS, voice call or an Authenticator App, the login is done via backup codes already provided during the setup of the two-factor authentication.
Biometrics is an authentication method used to identify users using biological characteristics. For authentication, e.g. Face, fingerprint, eye iris or voice can be used. A biometric scanner reads the biological attributes of a user - e.g. his face - and converts the result into digital information, which can then be interpreted and verified by a software program during the authentication process.
A person's face, voice or fingerprint are biometrically unique and are therefore also used for secure verification. They also contribute reliably to the protection against identity theft, fraud and data misuse..
In simple terms, cloud software is a service that, like other computing services (database, network components, storage, etc.), is provided through the cloud, the Internet. Companies that provide these computing services are referred to as cloud providers and typically charge for cloud computing services based on their usage, just as you are for your home's water and power consumption.
Consent Management refers to the process of allowing users to determine what information they are willing to permit third party providers or other applications to access, manage consent preferences and accordingly allow sharing of user data. Consent management supports the dynamic creation, management and enforcement of consumer, organizational and jurisdictional privacy policies.
Customer Identity Management
The key features of Customer Identity and Access Management are to uniquely identify users, securely manage user accounts and access privileges. In addition, the collected data of user habits and needs can be used for direct, individual customer dialogue.
Device Management stands for the management of approved devices based on device information such as browser, operating system, device type e.g. Smartphone, tablet, etc.
E-mail opt-in means automatic e-mail verification after registration. This email verification provides additional protection when authenticating a user. After a successful registration, the user will receive an email with further instructions to confirm their contact information. This e-mail contains a unique link that, directs the user to a preconfigured landing page of the provider and forwards a message confirming the address to the provider's system.
In email-based authentication, the user receives a verification code on their registered email address and must enter it to have their identity verified.
The General Data Protection Regulation (EU) ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The regulation contains provisions and requirements pertaining to the processing of personal data of individuals – It aims primarily to give control to individuals over their personal data, and also addresses the export of personal data outside the EU and EEA areas.
The GDPR directive lists a number of requirements and security measures that data processors and data controllers have to adhere to while handling PII (Personally identifiable information). Organizations that satisfy all these obligations are said to be GDPR Compliant.
Identity and Access Management (IAM) is the generic term used to describe the processes within an organization that manage and maintain user accounts and resources on the network, including authorization management for application users and systems.
An identity is the unique identifier of a person, organization, resource or a service along with optional additional information (e.g., permissions, attributes). The identity encapsulates uniquely attributable characteristics.
Identity Management (ID Management) is the administration task that deals with the identification of individuals in a system (e.g. country, network or company). It controls the access of individuals to a resource within the system by comparing user rights and constraints with the established identity.
Interceptor is a software development design template for extending a framework or middleware without the need to change this in itself. This falls under the category of behavioral patterns – i.e. design patterns to model complex behavior in software development.
IVR stands for Interactive Voice Response and is a voice response system. The user receives a voice call on his registered device and must enter the verification code provided to verify his identity.
JWT (Json Web Token) is an open standard that enables a compact and self-contained way to securely transfer information between parties on the Web as a JSON object. This token can be verified and is trusted because it is digitally signed using a different standard - JWS (Json Web Token Signature). In the token's payload, additional information could be placed in self-defined data fields, the content of which can be transmitted encrypted using another standard JWE (Json Web Encryption). JWT is used on the Web as a standardized way to realize SSO and secure transmission of information between parties involved (API consumers, applications, ..).
The Lightweight Directory Access Protocol (LDAP) is a network protocol used to perform queries in a distributed directory service. LDAP systems can be integrated as a login provider into an existing LDAP system of a company, and access rights of internal and external users can be securely checked. Access to company accounts can thus be made available not only to employees, but also, for example, to customers online.
Multi-factor authentication (MFA) is a technique that uses the combination of two or more credential proofs (factors) to validate user identities. Factors could be:
- Physical possession: for e.g. a bank card
- Knowledge: e.g. a password
- Biometric data such as fingerprint, face scan
OAuth2 is an open security protocol that allows standardized and secure API authorization for desktop, web and mobile applications. To protect API interfaces and grant access only to authorized clients, the OAuth2 protocol has become the standard worldwide.
One Time Password (OTP)
An OTP (One-Time Password) is an automatically generated number or alphanumeric string that authenticates a user to a single session. One-time passwords are used as substitutes or as additions to the authentication in order to give this another security layer.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is a standard authentication protocol that is an extension of the previous OAuth 2.0 standard that includes login and single sign-on capabilities. OIDC provides the end user with the information in the form of an id_token that verifies the user's identity. The standard is controlled by the OpenID Foundation.
Authentication mechanism that allows users to log in and access their resources / servers without having to remember passwords. Instead of entering a password, the user receives a One-Time-Password (OTP) to their registered e-mail, or registered mobile number. By using the OTP, the user can log in and can access his resources / services.
When authenticating via a pattern, a pattern is defined at initial registration, which the user must enter for authentication when logging in again.
Personally identifiable information (PII) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Also referred to as intelligent profiling, progressive profiling refers to the process in which user information is incrementally aggregated in the course of the customer journey to build holistic user profiles of customers.
On October 8, 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments through the PSD2, Directive. The new rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer. The monopoly on account information will hence end and banks will have to make their interfaces accessible to third-party providers (TPP).
For banks to remain compliant, a robust identity and access management solution that comes with fail-safe authorization processes would be crucial to open up their interfaces to TTPs and share sensitive data securely.
SCA stands for Strong Customer Authentication (SCA) and is associated with secure electronic payments. Strong authentication is necessary in this context when the user accesses his account and triggers a payment transaction. Two-factor authentication is used to uniquely identify the user. By confirming a unique second factor such as a PIN / TAN or by using a biometric factor such as a fingerprint, risks of fraud are minimized.
A Software Development Kit (SDK) is a collection of programming tools and libraries used to develop software. It helps software developers to create applications leveraging what exists.
Single Sign-on – also called one time login enables end users to log in to all online services using a single identity. SSO allows the user, after a single login, to access all content and services of the provider in different portals / on all devices, without having to sign in again. If the user changes to another service of the provider, the access is checked by SSO. In case of a successful request, the customer gets access to these resources - Touchpoint independent.
Smart Push: A push notification is a message that is displayed on a user's mobile device. Smart Push, allows the user to authenticate by selecting the correct code displayed in the push message.
In SMS-based authentication, the user receives a verification code via SMS on his registered mobile device and must enter it to have his identity verified.
Social login is also referred to as social sign-in. Users can easily register using their favorite social network. The user selects for the registration process, on an online portal, his preferred social media account (Facebook, Twitter, Google+, etc.), and can thus be authenticated or uniquely mapped by the website operator.
Used in conjunction with identity management as a security token. A security token is a hardware component for identifying and authenticating users. Occasionally it also refers to software tokens. They are usually part of an access control system with two-factor authentication.
TOTP stands for Time- based One-time Password - is a temporary passcode (six or eight digit), generated by an algorithm, used for authenticating users based on time and device.
Two Factor Authentication
Two Factor Authentication (MFA) is a technique that uses the combination of two credentials (factors) to validate user identities. Factors could be:
- Physical possession: for e.g. a bank card
- Knowledge: e.g. a password
- Biometric data such as fingerprint, face scan
U2F stands for Universal 2nd Factor and is an industry standard that supports two-factor authentication (2FA) using special USB or NFC devices. Developed by Google and Yubico, with support from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.
Big Data analytics tools learn algorithms and thereby identify many different email IDs of a customer that actually belong to the one and same customer. Only a single identity of the customer is stored.
User Self Service
Via a user portal, registered users can self-manage their account and modify to a certain extent their corresponding database entry. This allows, for example, for changing passwords, or restoring of lost ones through an automated process.
Voice recognition is a biometric authentication method. Similar to passwords or PIN numbers, the respective person is to be identified by the voice recognition.
Webhooks, as a non-standard method of communicating with servers, allow server software to announce that a particular event has occurred and to trigger a response to the event.