Identity-and-Access-Management

Authentication is the process of verifying that a user, device, or service is really the identity it claims to be.

Authorization is the process of deciding what an authenticated identity is allowed to access or do.

Multi-factor authentication requires more than one independent kind of proof so a password alone is not enough to log in.

Single sign-on lets one successful authentication session provide access to multiple related applications.

Passwordless authentication verifies identity without requiring the user to know or type a traditional password.

A hardware token is a physical device used as part of authentication, often to provide stronger proof of identity than a password alone.

Role-based access control grants permissions through defined roles so access can be managed consistently instead of one user at a time.

Attribute-based access control uses attributes and policy rules, not just role membership, to decide whether access should be granted.

Privileged access management controls, monitors, and reduces high-risk administrative access to critical systems and data.

SAML is a federation standard commonly used to carry authentication and identity assertions between an identity provider and an application.

OAuth is a delegated authorization framework that lets one application access resources on a user's behalf without sharing the user's password.

OpenID Connect adds an identity layer on top of OAuth so applications can verify who the user is as part of a modern login flow.

Kerberos is a ticket-based network authentication protocol commonly used in enterprise environments to verify identities without sending passwords repeatedly.

LDAP is a protocol for accessing and managing directory information such as users, groups, and organizational records in identity systems.

Biometrics are authentication methods that use physical or behavioral traits to help verify identity.

Policy-based access control uses explicit policy rules to decide what access should be granted in a given context.

An access review is a structured check of who has access to a system or resource and whether that access is still appropriate.

SCIM is a standard for automating identity provisioning and lifecycle updates between systems.

Identity Governance and Administration, or IGA, is the discipline that manages identity lifecycle, access requests, approvals, reviews, and access policy oversight at scale.

Least privilege access is the practice of granting only the minimum access needed for a person or system to perform a legitimate task.

An identity provider is the system that authenticates identities and supplies trusted login assertions or identity information to other services.

A service account is a non-human account used by an application, script, workload, or automated process to authenticate to another system.

A break-glass account is a tightly controlled emergency account kept for exceptional situations when normal identity systems or administrative paths are unavailable.

Conditional access is a policy approach that allows, blocks, or steps up access based on context such as user, device, location, or risk.

Identity lifecycle is the process of creating, updating, reviewing, and removing identities and their access over time.

Just enough administration is an approach that gives administrators only the exact administrative capabilities needed for a specific operational role or task.

Just-in-time access is a model where elevated permissions are granted only when needed and removed automatically after a limited period.

Identity governance is the discipline of deciding, reviewing, and controlling who should have access to which systems and data.

Account provisioning is the process of creating, updating, and disabling user or service accounts and assigning the right access to them.

An access token is a credential used by an application or client to call a protected resource after authorization has been granted.

A refresh token is a credential used to obtain a new access token without forcing the user to reauthenticate every time a short-lived token expires.

Token revocation is the process of invalidating an issued token before its normal expiration time.

Phishing-resistant authentication is an authentication approach designed to reduce the chance that a user can be tricked into handing over reusable sign-in proof.

Identity proofing is the process of verifying that a person is who they claim to be when an account is created, recovered, or issued higher-trust access.

Account lockout is a control that temporarily or conditionally blocks further sign-in attempts after repeated failed authentication attempts.