Comprehensive Glossary of Security Key and Authentication Terms

This glossary provides a thorough overview of essential terms related to FIDO2 security keys, hardware security, password management, and authentication protocols. For more information on high-security hardware keys, visit the Thetis FIDO2 Security Key page.


  • Access Control
    Security measures that restrict access to resources based on user permissions and roles.

  • Adaptive Authentication
    An authentication method that adjusts security requirements based on context, such as the user’s location or device.

  • Account Lockout
    A security feature that temporarily locks an account after repeated failed login attempts to prevent unauthorized access.

  • Account Recovery
    A process to regain access to an account if credentials are lost or compromised.

  • Account Takeover
    A type of fraud where an attacker gains unauthorized access to a user’s account, often through stolen credentials.

  • Advanced Encryption Standard (AES)
    A widely-used encryption standard providing high security and efficiency, commonly found in secure systems.

  • Asymmetric Encryption
    A cryptographic method using public and private key pairs to secure data and authenticate users.

  • Audit Trail
    A detailed record of user activity, often used for compliance and monitoring.

  • Authentication Factor
    A verification method, such as a password, hardware security key, or biometric data, used to authenticate a user.

  • Authenticator
    A device or application that generates secure codes or signs challenges for authentication.

  • Authenticator Assurance Level (AAL)
    A standard defining the assurance levels for authenticators, with higher levels requiring stronger security methods.

  • Authorization
    The process of verifying permissions and access levels for a user to ensure secure access to resources.

  • BIOFP+
    A biometric authentication standard, used in high-security hardware, offering reliable fingerprint-based identity verification.

  • Biometric Authentication
    An authentication method using unique physical characteristics, such as fingerprints or facial recognition, to verify a user’s identity.

  • CCEAL6+
    Common Criteria Evaluation Assurance Level 6+, a security certification for high-assurance devices meeting stringent cryptographic standards.

  • Challenge-Response Authentication
    A security method where a device signs a random challenge to prove user identity without revealing passwords.

  • Client to Authenticator Protocol (CTAP)
    A protocol enabling communication between a device and an authenticator (e.g., security key). CTAP2 is the latest version supporting FIDO2 functions.

  • Compliance
    Adherence to regulations and security standards to protect data and ensure safe practices.

  • Credential ID
    A unique identifier associated with each registered security key, allowing services to differentiate between multiple authenticators.

  • Credential Management
    The secure storage, updating, and deletion of user credentials.

  • Cryptographic Hash Function
    A function that converts data into a fixed-size hash, often used to verify data integrity.

  • Cryptographic Key Pair
    A set of public and private keys used together for secure authentication and data exchange.

  • Data Breach
    An incident where unauthorized parties gain access to sensitive data, often leading to identity theft or credential exposure.

  • Data Integrity
    Ensuring that data remains unaltered and intact during storage or transmission.

  • Device Binding
    A security feature tying account access to a specific device for additional protection.

  • Digital Certificate
    A document verifying the identity of a device or user, commonly used in PKI and secure communications.

  • Digital Signature
    A cryptographic signature verifying the authenticity and integrity of data, widely used in secure communications.

  • Elliptic Curve Cryptography (ECC)
    A cryptographic method known for providing high security with shorter keys, commonly used in security keys like Thetis FIDO2 Security Key.

  • Entropy
    The randomness in a cryptographic system, enhancing the strength of security keys.

  • Federal Information Processing Standards (FIPS)
    Standards set by the U.S. government to ensure secure information processing, including FIPS 140-2, which certifies cryptographic modules.

  • Fast Identity Online (FIDO)
    An open standard that enables secure, passwordless authentication through public-key cryptography.

  • FIDO2
    An authentication standard combining WebAuthn and CTAP2 to enable passwordless login and multi-factor authentication.

  • Hardware Security Module (HSM)
    A device used to securely manage and store cryptographic keys, commonly used by organizations to protect sensitive data.

  • Hardware Security Key
    A physical device (e.g., Thetis FIDO2 Security Key) that provides secure login through public-key cryptography, enabling passwordless authentication or two-factor security.

  • Hash-Based Message Authentication Code (HMAC)
    A cryptographic function that combines a secret key with data to create a unique hash, used in generating OTPs.

  • Man-in-the-Middle Attack (MitM)
    A cyberattack where a third party intercepts and possibly alters communications between two parties.

  • Master Password
    A primary password that secures all other stored credentials within a password manager.

  • Multi-Factor Authentication (MFA)
    An authentication process requiring multiple forms of verification, such as a password, security key, or biometric data.

  • Nonce
    A random value used in cryptographic protocols to ensure data freshness and prevent replay attacks.

  • OAuth
    An open standard for access delegation, enabling third-party services limited access to user data without sharing passwords.

  • One-Time Password (OTP)
    A time-sensitive code used for secure login, typically generated by an app or hardware key, providing an additional layer of security.

  • Passkey
    A FIDO2-compatible, hardware-based credential enabling passwordless authentication through secure cryptographic methods.

  • Password Manager
    Software that securely stores and manages a user’s passwords, often protected by a master password and multi-factor authentication.

  • Personal Identity Verification (PIV)
    A U.S. government standard for identity verification, often used with cryptographic devices like PIV cards.

  • Phishing
    A cyberattack where attackers impersonate legitimate services to steal sensitive information, like passwords or credit card numbers.

  • PIN (Personal Identification Number)
    A code used to verify user identity, commonly combined with hardware keys for enhanced security.

  • PKI Certificate Chain
    A hierarchy of certificates validating the legitimacy of a device or individual within PKI.

  • Public Key
    A key shared with services to verify the identity of the private key holder, enabling secure login without revealing sensitive data.

  • Public-Key Cryptography
    A cryptographic system that uses pairs of public and private keys for secure authentication and data exchange.

  • Public-Key Infrastructure (PKI)
    A framework managing public keys and digital certificates for secure data exchange, widely used in FIDO2 systems.

  • Replay Attack
    A type of attack where valid data is maliciously repeated or delayed by a third party to gain unauthorized access.

  • Resident Key
    A key stored directly on the authenticator, like Thetis FIDO2 Security Key, enabling standalone passwordless authentication.

  • Relying Party
    The service or application that relies on FIDO2 authentication for secure login, like a website or app.

  • Risk-Based Authentication
    A method that assesses the risk level of a login attempt to determine necessary security measures.

  • RSA Algorithm
    A widely used cryptographic algorithm for secure data exchange, often in PKI and secure communications.

  • Secure Boot
    A security feature ensuring that only trusted software can run during device startup.

  • Secure Element
    A tamper-resistant chip within a device that securely stores cryptographic keys and sensitive data, preventing unauthorized access.

  • Session Hijacking
    An attack where an attacker takes over a user’s active session to perform unauthorized actions.

  • Session Timeout
    Automatic termination of a session after inactivity to reduce security risks.

  • Single Factor Authentication
    Authentication using only one method, like a password, without additional verification layers.

  • Single Sign-On (SSO)
    A system enabling users to log in once and access multiple services without needing to re-authenticate.

  • SIM Swapping
    A type of fraud where attackers transfer a victim’s phone number to another SIM card to intercept SMS-based authentication codes.

  • Symmetric Encryption
    A method where the same key encrypts and decrypts data, often used for secure data transmission.

  • Threat Model
    An analysis identifying potential security risks and defining countermeasures.

  • Time-Based One-Time Password (TOTP)
    A type of OTP based on the current time, commonly used in two-factor authentication for added security.

  • Token-Based Authentication
    An authentication method using a unique token as a secure identifier.

  • Two-Factor Authentication (2FA)
    A security process that requires two forms of verification, like a password and a hardware key, for added security.

  • Zero Trust
    A security model where no one is trusted by default, including those inside the network perimeter.

  • Zero-Knowledge Encryption
    A security model where a password manager cannot access stored data, as only the user has the decryption key, ensuring privacy.


This comprehensive glossary provides key terms and definitions essential for understanding security keys, authentication, and cryptographic methods associated with the [Thetis FIDO2 Security Key](https://thetis.io/