There are many acronyms and terms used by specialists in the field of digital identification and cyber security. At Symbiotic Consultancy Services, our role is to help you navigate through the terminology to help you to find the solution that is right for your organisation, not confuse you. This glossary contains some of the terms you may come across, along with our explanation of the term and how it is used. If you ever come across a term you want explained [which are not in our glossary], please feel free to ask us.

Term / Acronym


Address of Record

The validated and verified location (physical or digital) where an individual can receive communications using approved mechanisms.


A person undergoing the processes of registration and identity proofing prior to becoming an authorised user.


A statement, which may contain verified attributes, from a verifier entity to a Relying Party containing identity information about a person.


The degree of confidence that the individual who uses a security credential is the same person to whom the credential was issued during the identity proofing vetting process.

Asymmetric Keys

Two related keys, consisting of a public key and a private key, that are used to perform complementary cryptographic operations, i.e. encryption and decryption.


An attempt by an unauthorised entity to deceive a verifier entity or a Relying Party into believing that the unauthorized entity in question is the authorised Subscriber.


A party who acts with malicious intent to infiltrate an information system through compromising the information system's access control mechanisms.


A quality or characteristic ascribed to an individual, an entity or an object.


The process of determining the validity of one or more credentials used by a person to claim ownership of a digital identity, as identified by a unique system identifier.

Authentication Protocol

A defined sequence of messages between an individual's intelligent device and a verifier entity that demonstrates that the subject has possession and total control of one or more valid authenticators to establish their identity, and, optionally, demonstrates that the claimant is communicating with the intended verifier.

Authentication Method

A device and/or knowledge that an individual possesses and controls (for example, a cryptographic module or password) which produces authentication data that is used by a verifier entity or Relying Party to authenticate the individual’s claim to a specific digital identity.

Authenticator Assurance Level (AAL)

A category describing the authentication process proving that the claimant is in control of a given subscriber’s authenticator(s).

Authenticator Secret

The confidential data value contained within an authentication method.


The property that data originated from their purported source.


Automated recognition of individuals based on their behavioral and biological characteristics.

Authorised User

A subject whose identity is to be verified by a Relying Party of Verifier using one or more authentication methods or protocols to gain access to a resource or authorise a transaction.

Claimed Identity

A declaration of unvalidated and unverified personal attributes by the applicant.


An object or data structure that authoritatively binds an identity, via an identifier or identifiers, and, optionally, additional attributes, to at least one set of authentication data possessed and controlled by a subscriber. While common usage often assumes that the credential is maintained by the subscriber, this document also uses the term to refer to electronic records maintained by the CSP which establish a binding between the subscriber’s authentication data and their identity.

Credential Stuffing

Also known as password stuffing, this attack is an automated means of testing combinations of user identifiers and user authentication data in an attempt to gain unauthorised access to users' accounts.

Credential Service Provider (CSP)

A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. The CSP may encompass Registration Authorities (RAs) and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.

Cryptographic Key

A data value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification.

Cryptographic Authentication Data

Authenticator data which relies on the confidentiality of a cryptographic key.

Digital Authentication

The process of establishing confidence in user identities presented digitally to a system. In previous editions of SP 800-63, this was referred to as Electronic Authentication.

Digital Signature

An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation but not confidentiality protection.

Electronic Authentication (eAuthentication)

See Digital Authentication.


A process that allows for the conveyance of identity and authentication information across a set of networked systems.

Federation Assurance Level

A category describing the assertion protocol utilized by the federation to communicate authentication and attribute information (if applicable) to an RP.


An attribute or set of attributes that uniquely describe a subject within a given context.

Identity Assurance Level (IAL)

A category that conveys the degree of confidence that the applicant’s claimed identity is their real identity.

Identity Proofing

The process by which a CSP and an RA collect and verify information about a person for the purpose of issuing credentials to that person.

Identity Provider (IdP)

The party that manages the subscriber’s primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this document suite.

Memorized Secret

Authentication data consisting of a character string that is intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.

Multi-Factor Authentication

A characteristic of an authentication system or an authentication method that requires more than one authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.


An open communications medium, typically the Internet, that is used to transport messages between the claimant and other parties. Unless otherwise stated, no assumptions are made about the security of the network; it is assumed to be open and subject to active (e.g., impersonation, man-in-the-middle, session hijacking) and passive (e.g., eavesdropping) attack at any point between the parties (e.g., claimant, verifier, CSP, RP).


See memorized secret.

Personal Identification Number (PIN)

A memorized secret typically consisting only of digits.

Personally Identifiable Information (PII)

Personally Identifiable Information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Private Key

The secret part of an asymmetric key pair that is used to digitally sign or decrypt data.

Pseudonymous Identifier

A meaningless but unique number that does not allow the RP to infer anything regarding the subscriber but which does permit the RP to associate multiple interactions with the subscriber’s claimed identity.

Public Key

The public part of an asymmetric key pair that is used to verify signatures or encrypt data.

Public Key Certificate

A digital document issued and digitally signed by the private key of a certification authority (CA) that binds an identifier to a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the private key. See also [RFC 5280].

Public Key Infrastructure (PKI)

A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.


The process through which an applicant applies to become a subscriber of a CSP and has their identity validated by the CSP.

Relying Party (RP)

An entity that relies upon the subscriber’s authentication data associated with a specific authentication method or a Verifier’s assertion of a claimant’s identity, to grant access to information or a resource.


(In the context of remote authentication or remote transaction) An information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organisation’s security controls.Note: Any information exchange across the Internet is considered remote.

Risk Assessment

The process of identifying, estimating, and prioritising risks to organisational operations (including objectives, functions, image, or reputation), organisational assets, individuals, and other organisations.

Risk Management

The programme and supporting processes to manage information risk to organisational operations by (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) risk treatment (avoidance, reduction, sharing and retention); and (iv) monitoring risk over time.

Shared Secret

A secret used in authentication that is known to the subscriber and the Verifier.


A party who has received a credential or authenticator from a CSP.


A person that has been authorised to access data or resources subject to their correct authentication.

Symmetric Key

A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.


The quality of identity evidence remaining truthful and it not being expired or revoked.


An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.

Please feel free to connect with Dr Tony Palmer on LinkedIn

Digital Identity Security Consultants
Identity & Access Management | Biometric Authentication & Identification | Data Encryption & Digital Signatures | Public Key Infrastructures & Directories

Stacks Image p87_n61
Stacks Image p87_n58
Stacks Image p87_n64

The contents of this website are copyright © 2017 Symbiotic Consulting Services Limited. All rights reserved.
Symbiotic Consulting Services Limited is a company registered in England and Wales, No: 5368511. Registered office: 22 Birch Grove, Welling, Kent, DA16 2JW, United Kingdom.