ATO Glossary

Quick reference for authentication, authorization, and account takeover terminology used throughout this module.

A

AAL (Authentication Assurance Level) - NIST framework measuring authentication strength. AAL1 requires a single authentication factor (commonly a password). AAL2 requires two factors with cryptographic proof of possession. AAL3 requires two distinct factors including a hardware-based cryptographic authenticator with a non-exportable private key and verifier impersonation (phishing) resistance.

ABAC (Attribute-Based Access Control) - Authorization model where access decisions are based on attributes of the user, resource, and context rather than predefined roles.

Access Token - Short-lived credential (usually minutes to hours) that grants permission to access specific resources. Issued after successful authentication.

Account Recovery Abuse - Exploiting password reset workflows to gain unauthorized access. Attackers target weak recovery methods like security questions or backup email addresses.

Account Takeover (ATO) - Unauthorized access to someone's account to steal value, information, or use the account's reputation. The attacker gains control by obtaining valid credentials or session tokens.

Authentication (AuthN) - The process of verifying identity. Answers the question: "Who are you?"

Authorization (AuthZ) - The process of verifying permissions after identity is confirmed. Answers the question: "What are you allowed to do?"

C

Combo List - Database of leaked email/password pairs from data breaches, used in credential stuffing attacks.

Credential Stuffing - Automated attack testing stolen username/password pairs across multiple sites. Works because people reuse passwords. Success rates are low (0.2-2%) but scale makes it profitable.

Customer Service Social Engineering - Manipulating support staff to bypass security controls, reset passwords, or change account settings without proper verification.

D

Deepfake - AI-generated synthetic media that mimics a real person's appearance or voice. Used to bypass video-based identity verification or liveness checks.

F

Federated Authentication - Trusting an external identity provider to verify users instead of managing credentials directly. "Sign in with Google" is a common example.

G

Ghost Account - Account that remains active without clear ownership or monitoring. Often created for former employees, contractors, or service accounts that were never deactivated.

H

Hardware Security Key - Physical device (like YubiKey) that provides phishing-resistant authentication. The key is cryptographically bound to specific domains, so it won't work on lookalike phishing sites.

I

IAL (Identity Assurance Level) - NIST framework measuring confidence that a person is who they claim to be. IAL1 is self-declared, IAL2 requires remote identity proofing, IAL3 requires in-person verification.

Identity Provider (IdP) - System that verifies user identity and issues authentication tokens. Examples include Okta, Google, Microsoft Entra ID (formerly Azure AD), and OneLogin.

K

Knowledge-Based Authentication (KBA) - Identity verification using personal facts like mother's maiden name, first car, or high school mascot. Weak because answers are often discoverable through social media or data breaches.

L

Least Privilege - Security principle that users and systems should have only the minimum permissions necessary to perform their function.

Liveness Detection - Identity verification technique requiring real-time actions (blinking, turning head, speaking a phrase) to prove the person isn't showing a photo or video.

M

Multi-Factor Authentication (MFA) - Requiring two or more authentication factors from different categories: something you know (password), something you have (phone, security key), or something you are (fingerprint, face).

O

OAuth - Authorization protocol that grants applications limited access to user accounts without sharing passwords. OAuth handles what an app can do, not who the user is.

OpenID Connect (OIDC) - Authentication layer built on top of OAuth. Adds identity verification (who the user is) to OAuth's authorization capabilities.

P

Passkey - Phishing-resistant credential using public-key cryptography. The private key never leaves the device and is cryptographically bound to specific domains, preventing use on phishing sites.

Password Spraying - Attack testing one or two common passwords against many accounts before moving to the next password. Avoids account lockouts triggered by multiple failed attempts on a single account.

Payout Diversion - Changing where a platform sends money, redirecting funds to attacker-controlled accounts. Common in marketplace and gig economy account takeovers.

Permission Creep - Gradual accumulation of access permissions over time as users change roles or take on temporary responsibilities without old permissions being removed.

Port-Out Fraud - Attack where criminals transfer a victim's phone number to a different carrier, gaining control of SMS-based authentication codes. Similar to SIM swap but involves carrier transfer.

Pretexting - Creating fabricated scenarios to manipulate targets into revealing information or performing actions. The attacker assumes a false identity with a believable backstory.

Privilege Escalation - Gaining access permissions beyond what was originally granted, either vertically (regular user to admin) or horizontally (accessing another user's data at the same level).

Push Fatigue - Attack where criminals spam MFA push notifications repeatedly, hoping the victim approves one to make them stop.

R

RBAC (Role-Based Access Control) - Authorization model where permissions are assigned through predefined roles (Admin, Editor, Viewer) rather than directly to individual users.

Refresh Token - Long-lived credential used to obtain new access tokens without re-authentication. If stolen, provides persistent access until explicitly revoked.

Real-Time Phishing Proxy - Attack infrastructure (like Evilginx) that sits between victim and legitimate site, capturing credentials and session tokens as they pass through. Defeats most MFA because it captures the authenticated session.

S

SAML (Security Assertion Markup Language) - XML-based protocol for enterprise single sign-on. The identity provider issues signed SAML assertions that service providers trust.

SAML Assertion - Signed XML document from an identity provider confirming a user's identity and attributes. If stolen or forged, grants access to any application trusting that IdP.

Segregation of Duties - Security principle requiring multiple people to complete high-risk processes. No single person should control an entire sensitive workflow.

Session - Period during which a user stays logged in after successful authentication, maintained by session tokens.

Session Hijacking - Stealing a session token to impersonate an authenticated user without knowing their password. The attacker takes over an already-authenticated session.

Session Token - Data stored in browser cookies or headers that proves the user already authenticated. Like a wristband at an event that proves you already checked in.

SIM Swap - Attack where criminals convince a mobile carrier to transfer a victim's phone number to a SIM card they control. Lets them receive SMS authentication codes intended for the victim.

Single Sign-On (SSO) - Authentication system where one login grants access to multiple applications. Convenient for users but creates a single point of failure if the identity provider is compromised.

Social Engineering - Manipulating people to divulge confidential information or perform actions that compromise security. Targets human psychology rather than technical vulnerabilities.

T

TOTP (Time-Based One-Time Password) - Authentication codes generated by apps like Google Authenticator, Microsoft Authenticator, or 1Password. Codes change every 30 seconds based on a shared secret and current time.

Token Replay - Reusing a stolen authentication token before it expires. Applies to session tokens, access tokens, and SAML assertions.