Glossary
This page is an alphabetical list of terms and concepts that are useful in understanding Nevis Authentication Cloud functionality. Use the sidebar on the right to browse the page, or your internet browser's find (Ctrl+F / ⌘+F) function to search for specific terms.
Access Key
Access keys are API tokens that allow you to communicate with the Authentication Cloud API. Each access key is a unique identifier that identifies an application or user when making an API request.
API
API stands for Application Programming Interface. APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. In the context of APIs, "application" refers to any software with a distinct function. "Interface" can be thought of as a contract of service between two applications. This contract defines how the two communicate with each other using requests and responses.
Assertion
When a user wants to log into a service, the server sends a challenge and the authenticator signs it with a key pair previously registered to that service. This creates the assertion. The format of the assertion is always the same regardless of the device being used.
Attestation
Attestation is the process of verification of a generated key pair that is specific to a device. Once the key pair is verified (attested) it can be used to cryptographically prove that the device is genuine.
Authentication
Authentication is the process of verifying a user through their registered authenticator before allowing access to a resource. This ensures only those with authorized credentials gain access to secure systems.
The process involves the server providing the authenticator with a challenge, which they cryptographically sign with the key pair created in registration, and then return to the server to confirm authenticity.
Biometrics
Biometrics are measurements of physical characteristics that uniquely identify individuals. This includes fingerprint mapping, facial recognition, retina scans etc. Using technologies that can create and compare biometric measurements with very high precision, biometrics can be used to identify and securely authenticate users.
Cross-platform authenticators
A type of passkey authenticator also referred to as roaming authenticators, it is a portable hardware device that can be used to verify a user's identity across multiple platforms, examples are a security key or a mobile device.
Cross-platform devices allow a user to authenticate on new devices, where a credential does not exist. Therefore allowing users to authenticate into a service even when there existing workstation is lost or corrupted.
Challenge
A challenge, in terms of challenge-response authentication is a security step, where the client that wants to access a system has to provide evidence, that they have the right to access. The challenge can take the form of a password prompt, a request for biometric authentication, or even a CAPTCHA request.
Discoverable credentials
Discoverable credentials is a mechanism used in passkeys, that allows a user to authenticate into a service without the need to enter a username or password, providing a significant ease of use advantage to the user.
When used, a user is provided a list of the available, discovered credentials on their authenticator, from which they can select the one to be used.
This mechanism supports the feature Conditional UI or autofill.
FIDO
FIDO is an abbreviation for Fast Identity Online, and refers to the FIDO Alliance, an open-industry association that promotes passwordless authentication and device attestation solutions. The FIDO UAF and FIDO2 specifications are industry standards that define secure, passwordless authentication solutions.
Introspection
Token introspection is a mechanism that allows resource servers to get information about access tokens. Through this, resource servers can check the validity of access tokens and discover other information, such as which user and which scopes are associated with the token.
Mobile app
In the context of Nevis Authentication Cloud, mobile app refers to an app on a mobile device that bears Authentication Cloud functionality, that is used for secure authentication. This can either be a customer application with a Nevis Mobile Authentication SDK integration, or a custom-branded Access App provided by Nevis.
Multi-device passkeys
Multi device passkeys (MDC) are credentials that can be moved and synced between devices. This means that if a user has multiple devices, they can use the built in authenticator to validate a credential regardless if they are using the device that was used to create the credential.
This offers a higher degree of usability as users can utilize any of their devices to authenticate into services without having to individually enroll each one. MDC’s may also be shared between different users. For example you can AirDrop your passkey to another person in the case of shared accounts.
MDC’s are commonly embedded into devices like a mobile phone, or laptop. Platforms that support MDCs are Windows Hello, Apple iCloud Keychain, and Google password manager.
One-time password (OTP)
A one-time password is a machine-generated security code that is used as a second factor in traditional multi-factor authentication scenarios. OTPs are typically provided via SMS messages, and they are only valid for a given time period, after which they expire.
SMS OTPs have the advantage of allowing multi-factor authentication that relies on only cell-service on the user device. On the other hand, they provide poor protection in scenarios, when an attacker is in posession of a device.
Passkey
A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords.
When a user wants to sign in to a service that uses passkeys, their browser or operating system helps them select and use the right passkey. The experience is similar to the way saved passwords work. To make sure only the rightful owner can use a passkey, the system asks them to unlock their device. This may be performed with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern.
Passkey autofill
The passkey autofill feature is intended to provide an experience for passkeys similar to that of traditional autofill to ease the user experience, and transition users to passwordless authentication.
Passkey autofill integrates passkey options directly into the browser's familiar autofill suggestions. When a user taps on a username field on a website that supports passkeys, the browser shows the available passkeys for that service. The passkey can then be selected, and the browser automatically completes the sign-in process using the device's authentication mechanism e.g. Face ID or fingerprint.
This streamlined approach eliminates the need to search for passkeys or remember which one to use, making passkey authentication more user-friendly and encouraging wider adoption for enhanced security.
Payment Service Directive 2 (PSD2)
The Revised Payment Services Directive (PSD2) is a European directive introduced in 2009 with the aim to create a more open, competitive, and secure payments landscape in the EU and EAA.
To improve competition in the payments landscape, Payment Services Directive (PSD2) allows non-bank financial institutions to access bank data and bank accounts. This is based on the idea that users own the data and accounts rather than banks, and so they can make the decisions on who should have access to their data.
Phishing
Phising is an attempt to steal sensitive information, such as passwords or credit-card numbers in order to gain access to protected resources, or sell the acqiured information. In a phising attempt, the attacker typically impersonates a reputable source to trick users into revealing sensitive information.
Platform authenticators
Platform authenticators are built-in security features on devices like smartphones and laptops that provide strong authentication without the need for external hardware. They leverage the device's inherent capabilities, such as fingerprint sensors, facial recognition cameras, or PIN codes, to verify the user's identity. Common examples include Apple's Touch ID and Face ID, Windows Hello, and the fingerprint scanners found on many Android devices. These authenticators offer a convenient and secure way to access devices and online services, eliminating the need for passwords and providing a seamless user experience.
Public key cryptography
Public key cryptography is a method of encrypting or signing data using two encryption keys: a public key, that is available for anyone to use, and a private key, that is kept secret. The public key is used for encryption and signature verification, while the private key is used for decryption and signing. The main benefit of the method is that no secret is stored on the server side, which eliminates the security issues associated with server-side data breaches.
Push bombing
Push bombing is a multi-factor authentication (MFA) fatigue attack, in which the attacker triggers multiple login attempts to a service, using leaked passwords against a traditional multi-factor authentication setup involving a password plus a second factor. The attacker types in the stolen password, which triggers a push notification on the user authenticator device to complete the authentication using the second factor.
The method is often successful, because - especially in work scenarios - users have to re-authenticate to various services many times a day, which can create a habit of approving second-factor push messages without too much thought.
Registration
Authenticator registration is the process of setting up a new authenticator, such as a security key or an authenticator app, to allow a user to authenticate using FIDO methods to access a service.
This process involves linking the authenticator to an account through a simple process, such as scanning a QR code on a secondary device or initiating the process from the primary device. Once registered, the authenticator can be used to verify the identity of the user and provide a strong authentication mechanism to access their account.
Relying party
In the context of Passkeys, the relying party is the web application or service that offers the option for users to log in using passkeys.
Response signing
Response signing is a security measure to ensure the authenticity of information received from a web application server API. This is an additional measure for when requests to the API are made on devices that you do not control. In practice, the signature is sent along with the API response, and in case an attacker modifies the response body, the signature gets broken. This can be detected in your application backend, so that you can block it.
REST API
REST API is an interface that two computer systems use to exchange information securely over the internet. REST stands for Representational State Transfer, and it is a software architecture with defined conditions on how the API should work. Using the REST API architecture brings several benefits. An important one is scalabilty. Systems that use REST APIs optimize client server interactions. REST APIs are stateless, meaning that servers do not retain past request data. This reduces server load. RESTful APIs are also independent of the programming languages used to create the server applications.
REST API requests and responses
The basic function of a REST API is similar to browsing the internet. An API call happens through the following steps:
- The clients contacts the server through sending a request when it needs a resource. The client uses the correct format for the request, as explained in the API documentation of the web application.
- The server performs the authentication of the client to make sure it has permission to make the request.
- If the authentication is successful, the server receives and processes the request.
- The server returns a response to the client. This response contains information about whether the request was successful, and if yes, then also the data requested.
SDK
SDK stands for Software Development Kit, and it is a set of software-building tools in one installable package. An SDK can be used by developers to easily integrate their apps with third party services.
Single-device passkeys
Single-device passkeys or single device credentials (SDCs) are passkeys that are bound to a specific device, meaning they can only be used to sign in from the device from which they were created. This enhances security by preventing the credential from being copied or transferred to another device.
While they offer strong protection against phishing and account takeovers, their limitation lies in the lack of flexibility for users who frequently switch between devices.
Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a European regulatory requirement to reduce fraud and make online and contactless offline payments more secure. It applies to all customer-initiated online and contactless offline payments within the EU, EEA and the UK.
SCA requires authentication to employ at least two of the following three elements:
- Something the user knows, such as a pin or password
- Something the user has, such as a mobile device or a hardware token
- Something the user is, meaning biometric measurements
Token
An authentication token is a computer-generated code that is used to verify the identity of a user. The use of tokens allows users access to resources, without having them re-enter their login credentials each time they visit. Auth tokens are encrypted and machine-generated. They can expire and can be revoked, which provides better protection against attack scenarios like brute-force attacks or stolen passwords.
Transaction signing
Transaction signing is a security measure, where a user authenticates again when reviewing the transaction they are making. This marks it as valid and authentic. In terms of secure authentication, this means that when committing to a sensitive transaction - such as transferring money through a banking application, the user is asked to authenticate using their pre-registered secure authentication method. This ensures that no sensitive transaction is processed without the explicit permission of the authenticated user, even if the user has already authenticated for login to the application.
Two-factor authentication (2FA)
Two-factor authentication (2FA) is a security measure that requires two separate forms of authentication to allow access to a resource. Two-factor authentication can be used to strengthen the security of a system.
User presence
With user presence (UP), the intent is to ensure that a user is physically present and in control of the authenticator. For example, an external hardware device used for authentication might have a touch sensor that cannot be controlled by software. The primary function of user presence is to provide some indication that a user was physically in control of the device during an authentication or registration ceremony.
User verification
User verification (UV) serves to ensure that the person authenticating to a service is in fact who they say they are for the purposes of that service. The relying party directs the authenticator to perform user verification, the authenticator performs user verification locally and signals to the application whether user verification was successful. User verification can take various forms, such as password, PIN, fingerprint, face scan, etc. The point is for the user to not only prove physical possession of the device, but ownership of it.
WebAuthn
WebAuthn, or the Web Authentication API is a specification written by W3C and FIDO as part of the FIDO2 framework. The API allows servers to register and authenticate users without passwords, instead using public key cryptography. With this method, servers can integrate with the strong authenticators built into devices, such as Windows Hello or apple's Touch ID or Face ID, and leverage them for easy and secure authentication.