The dictionary

CIAM Glossary

Plain, vendor-neutral definitions of the terms, protocols, and standards behind Customer Identity and Access Management. 113 entries and growing.

• Authorization

  Access Token

  An access token is a credential an application presents to an API to prove it is authorized to perform a request on a user's behalf, issued by an OAuth 2.0 authorization server and usually short-lived.

• Fundamentals

  Account Linking

  Account linking is the process of connecting multiple login credentials or identity provider accounts to a single user profile, so the user can sign in through different methods and reach the same account.

• Authentication

  Account Recovery

  Account recovery is the process by which a user regains access to their account after losing their primary credentials, typically through a verified alternative channel or identity proof.

• Fraud

  Account Takeover (ATO)

  Account takeover is an attack where a criminal gains control of a legitimate user's account, usually through stolen credentials, phishing, or social engineering, then uses it for fraud or theft.

• Authentication

  Adaptive Authentication

  Adaptive authentication adjusts how strongly a user must prove their identity based on the risk of each sign-in, asking for extra verification only when signals suggest something is unusual.

• Authorization

  Attribute-Based Access Control (ABAC)

  Attribute-based access control decides access by evaluating attributes of the user, the resource, the action, and the context against policy rules, allowing finer and more dynamic decisions than roles alone.

• Authentication

  Authenticator Assurance Level (AAL)

  Authenticator Assurance Level is a NIST 800-63 measure of how strongly a login proves the right person is present, from single-factor (AAL1) to phishing-resistant hardware-backed authentication (AAL3).

• Authorization

  Authorization Code Flow

  The authorization code flow is an OAuth 2.0 grant type in which a client application receives a short-lived authorization code that it exchanges for an access token, keeping the token out of the browser.

• Fraud

  Behavioral Biometrics

  Behavioral biometrics analyzes patterns in how a user interacts with a device, such as typing rhythm, mouse movement, and touch pressure, to continuously verify identity or detect anomalies.

• Authentication

  Biometric Authentication

  Biometric authentication verifies a user from a physical trait such as a fingerprint or face, most often as a local unlock on the user's device rather than a biometric sent to a server.

• Fraud

  Bot Detection

  Bot detection is the practice of identifying and mitigating automated, non-human traffic that targets web applications, including credential stuffing, account creation fraud, and scraping.

• Regulation

  CCPA

  The CCPA, as amended by the CPRA, is California's consumer privacy law giving residents rights to know, delete, correct, and opt out of the sale or sharing of their personal information.

• Authentication

  Claims

  Claims are statements about a user, such as their name, email, or roles, carried inside a token like an OpenID Connect ID token so an application can learn about the user without a separate lookup.

• Authorization

  Client Credentials Grant

  The client credentials grant is an OAuth 2.0 flow in which an application authenticates with its own credentials, rather than on behalf of a user, to obtain an access token for machine-to-machine communication.

• Authentication

  Client-Initiated Backchannel Authentication

  CIBA (Client-Initiated Backchannel Authentication) is an OpenID Connect flow that lets an application start authentication on a separate device, so a user approves a request on their phone while interacting with a terminal, agent, or call center.

• Privacy

  Consent Management

  Consent management is the capture, storage, and enforcement of a user's permissions over how their personal data is collected and used, in a way that can be proven to regulators.

• Privacy

  Consent Receipt

  A consent receipt is a record that captures the details of a user's consent decision, including what was consented to, when, by whom, and under what conditions, providing an auditable proof of consent.

• Security

  Continuous Access Evaluation

  Continuous access evaluation is a model where access decisions are re-checked during a session in near real time, so events such as a revoked account or a risk change can cut off access before a token would normally expire.

• Authentication

  Continuous Adaptive Trust (CARTA)

  Continuous adaptive trust is the principle that access decisions should be re-evaluated continuously from current risk signals rather than settled once at login, raising or lowering friction as context changes.

• Regulation

  COPPA

  COPPA (Children's Online Privacy Protection Act) is a United States law that requires operators of websites and online services directed at children under 13, or with actual knowledge of child users, to obtain verifiable parental consent before collecting personal information.

• Fraud

  Credential Stuffing

  Credential stuffing is an automated attack that tries large lists of username and password pairs stolen from other breaches against a login form, exploiting the fact that people reuse passwords.

• Growth

  Customer Data Platform (CDP)

  A customer data platform (CDP) is a system that collects, unifies, and organizes customer data from multiple sources into persistent, individual profiles that are accessible to other systems for analytics and engagement.

• Fundamentals

  Customer Identity and Access Management (CIAM)

  CIAM is the practice and technology for registering, authenticating, and managing the identities of external users such as customers, while capturing their consent and protecting their personal data.

• Privacy and Compliance

  Data Breach Notification

  Data breach notification is the legal obligation to inform regulators and affected individuals after a personal-data breach, within set deadlines such as the GDPR's 72-hour reporting window.

• Privacy

  Data Minimization

  Data minimization is the principle that organizations should collect and retain only the personal data that is directly necessary for the stated purpose, avoiding the accumulation of excess information.

• Privacy

  Data Subject Access Request (DSAR)

  A data subject access request (DSAR) is a formal request from an individual to an organization to provide a copy of all personal data held about them, along with information about how that data is processed.

• Decentralized Identity

  Decentralized Identifier (DID)

  A decentralized identifier is a globally unique identifier the subject controls directly, resolvable to keys and metadata without depending on a central registry or provider.

• Verification

  Decentralized Identifiers (DIDs)

  A decentralized identifier is a globally unique identifier that a person or organization can create and control without a central registry, defined by the W3C and often used alongside verifiable credentials.

• Authorization

  Delegated Administration

  Delegated administration is a model in which an organization grants a subset of administrative privileges to external partners, resellers, or customer administrators, allowing them to manage users and policies within a defined scope.

• Authorization

  Device Authorization Grant

  The device authorization grant is an OAuth 2.0 flow that lets input-constrained devices, such as smart TVs and IoT hardware, authenticate a user by displaying a code the user enters on a separate device with a browser.

• Fraud

  Device Fingerprinting

  Device fingerprinting is a technique that collects attributes from a user's browser or device to generate a unique or semi-unique identifier, used to recognize returning devices without relying on cookies or stored tokens.

• Verification

  Digital Identity Wallet

  A digital identity wallet is a software application that stores, manages, and presents verifiable credentials on behalf of its holder, enabling privacy-preserving identity verification across services.

• Fundamentals

  Directory Service

  A directory service is a system that stores, organizes, and provides access to identity information such as user accounts, groups, and attributes within a network.

• Regulation

  DORA

  DORA (Digital Operational Resilience Act) is a European Union regulation that establishes uniform requirements for the security of network and information systems in the financial sector, covering ICT risk management, incident reporting, and third-party oversight.

• Growth

  Double Opt-In

  Double opt-in is a registration or subscription process that requires a user to confirm their intent by responding to a verification message, typically an email, after an initial signup action.

• Regulation

  DPDP Act

  The DPDP Act (Digital Personal Data Protection Act, 2023) is India's data protection law governing the processing of digital personal data, establishing consent requirements, data subject rights, and obligations for data fiduciaries.

• Authorization

  DPoP

  DPoP (Demonstrating Proof of Possession) is an OAuth 2.0 extension that binds access tokens to the client that requested them by requiring a proof-of-possession key, preventing stolen tokens from being replayed by other parties.

• Authorization

  Dynamic Client Registration

  Dynamic client registration is an OAuth 2.0 protocol that lets a client register itself with an authorization server programmatically at runtime, receiving its client identifier and credentials through an API instead of manual configuration.

• Regulation

  eIDAS 2.0

  eIDAS 2.0 is the European Union regulation that establishes a framework for a European Digital Identity Wallet, letting people across the EU prove their identity and share attributes digitally across borders.

• Identity Proofing

  eKYC (Electronic Know Your Customer)

  eKYC is the electronic verification of a customer's identity to meet Know Your Customer regulations, using remote document, biometric, and data checks instead of in-person review.

• Regulation

  EU AI Act

  The EU AI Act (Regulation (EU) 2024/1689) is the European Union's comprehensive framework for regulating artificial intelligence, classifying AI systems by risk level and imposing requirements that range from transparency to outright prohibition.

• Authorization

  FAPI

  FAPI is a set of security profiles from the OpenID Foundation that harden OAuth 2.0 and OpenID Connect for high-value APIs such as open banking, where the cost of a breach is high.

• Authentication

  FIDO2

  FIDO2 is the set of standards from the FIDO Alliance and the W3C that enables phishing-resistant passwordless authentication using public-key credentials, made up of WebAuthn and the CTAP protocol.

• Authorization

  Fine-Grained Authorization (FGA)

  Fine-grained authorization decides access at the level of individual resources and relationships, answering questions like whether this specific user can edit this specific document, rather than relying on broad roles alone.

• Regulation

  GDPR

  The GDPR is the European Union regulation governing how personal data of people in the EU is collected and processed, setting rules on lawful basis, consent, and individual rights that directly shape CIAM.

• Regulation

  HIPAA

  HIPAA (Health Insurance Portability and Accountability Act) is a United States law that establishes standards for protecting the privacy and security of individually identifiable health information.

• Authentication

  ID Token

  An ID token is a JSON Web Token issued by an OpenID Connect provider that contains claims about the authentication event and the identity of the user.

• Fundamentals

  Identity and Access Management (IAM)

  IAM is the framework of policies and technology that ensures the right identities have the right access to the right resources, covering authentication, authorization, and the lifecycle of accounts.

• Identity Proofing

  Identity Assurance Level (IAL)

  Identity Assurance Level is a NIST 800-63 measure of how thoroughly a person's real-world identity was proofed before an account was issued, from self-asserted (IAL1) to in-person or equivalent verification (IAL3).

• Authentication

  Identity Broker

  An identity broker is an intermediary that sits between applications and multiple identity providers, giving each application one integration point while the broker handles federation, protocol translation, and routing each user to whichever provider authenticates them.

• Authentication

  Identity Federation

  Identity federation lets a user authenticate with one identity provider and gain access to applications run by other parties that trust it, so a single identity works across organizational boundaries.

• Growth

  Identity Graph

  An identity graph is the connected structure that links all the identifiers belonging to one customer (logins, devices, accounts, social identities) and their relationships into a single resolved view.

• Fundamentals

  Identity Orchestration

  Identity orchestration is the practice of coordinating multiple identity services into configurable journeys, using a workflow layer that connects authentication, verification, and authorization providers without custom code in each application.

• Fundamentals

  Identity Provider

  An identity provider (IdP) is a system that creates, stores, and manages digital identities and authenticates users on behalf of relying applications, returning a trusted assertion or token rather than exposing the underlying credentials.

• Growth

  Identity Resolution

  Identity resolution is the process of matching and merging identity data from multiple sources to determine that different records refer to the same individual, producing a unified customer profile.

• Verification

  Identity Verification (IDV)

  Identity verification is the process of establishing that a person is who they claim to be, typically by checking government documents, biometrics, or authoritative data sources at sign-up or for sensitive actions.

• Authentication

  JSON Web Key Set (JWKS)

  A JSON Web Key Set (JWKS) is a JSON data structure that represents a set of cryptographic keys, used by relying parties to verify the signatures of JWTs issued by an authorization server.

• Authentication

  JSON Web Token (JWT)

  A JSON Web Token is a compact, URL-safe, digitally signed token that carries claims about a user or session, used widely to convey identity and authorization data between parties.

• Authentication

  Kerberos

  Kerberos is a network authentication protocol that uses tickets issued by a trusted third party to allow clients and services to prove their identity to each other without sending passwords over the network.

• Verification

  Know Your Customer

  Know Your Customer (KYC) is the regulated process by which a business verifies a customer's identity and assesses risk before and during a relationship, typically required of financial institutions to prevent fraud, money laundering, and financing of crime.

• Authentication

  Knowledge-Based Authentication (KBA)

  Knowledge-based authentication (KBA) is an identity verification method that asks users to answer personal questions, either static ones they set in advance or dynamic ones derived from external data sources.

• Fundamentals

  LDAP

  LDAP (Lightweight Directory Access Protocol) is a standard protocol for accessing and maintaining directory services over a network, commonly used to store and query user identities and organizational structures.

• Regulation

  LGPD

  The LGPD (Lei Geral de Protecao de Dados) is Brazil's general data protection law, establishing rules for the collection, use, and storage of personal data by organizations operating in Brazil or processing data of individuals located there.

• Verification

  Liveness Detection

  Liveness detection is a biometric technique that confirms a captured face or fingerprint comes from a live person present at capture, rather than a photo, video, mask, or other spoof, defending against presentation attacks.

• Authentication

  Magic Link

  A magic link is a single-use, time-limited URL sent to a user's email or phone that signs them in when clicked, removing the need to enter a password.

• Fraud

  MFA Fatigue

  MFA fatigue is an attack in which an adversary who already has a victim's password floods them with repeated push approval prompts, hoping the user eventually approves one out of confusion or annoyance.

• Authentication

  Multi-Factor Authentication (MFA)

  Multi-factor authentication requires a user to present two or more independent proofs of identity from different categories, such as something they know, have, or are, before access is granted.

• Fundamentals

  Multi-Tenancy

  Multi-tenancy is an architecture in which a single instance of a platform serves multiple independent organizations or customer groups, each with isolated data and configuration, from shared infrastructure.

• Fraud

  New-Account Fraud

  New-account fraud is when an attacker creates an account using a stolen or synthetic identity at registration, rather than taking over an existing one, to abuse promotions, launder funds, or establish a foothold for later fraud.

• Regulation

  NIS2

  NIS2 (Directive (EU) 2022/2555) is the European Union directive on cybersecurity that sets risk management and incident reporting obligations for essential and important entities across critical infrastructure sectors.

• Authorization

  OAuth 2.0

  OAuth 2.0 is an authorization framework that lets an application obtain limited access to a user's resources on another service without handling the user's password, by exchanging tokens.

• Authorization

  OAuth Mutual TLS

  OAuth Mutual TLS (mTLS) is an extension that uses client certificates at the transport layer to authenticate OAuth clients and bind access tokens to those certificates, providing strong proof of possession.

• Authorization

  OAuth Scopes

  Scopes are labels in OAuth 2.0 that specify exactly what access an application is requesting, so the user can see and consent to a limited set of permissions rather than full access.

• Authentication

  One-Time Password (OTP)

  A one-time password is a code valid for a single login or a short time window, used as a second factor, generated by an authenticator app or sent over SMS or email.

• Authentication

  OpenID Connect (OIDC)

  OpenID Connect is an identity layer on top of OAuth 2.0 that lets an application verify who a user is and obtain basic profile information through a signed ID token.

• Verification

  OpenID for Verifiable Credential Issuance

  OpenID for Verifiable Credential Issuance (OID4VCI) is a protocol built on OpenID Connect that defines how a credential issuer delivers verifiable credentials to a holder's wallet in a standardized, interoperable way.

• Verification

  OpenID for Verifiable Presentations

  OpenID for Verifiable Presentations (OID4VP) is a protocol built on OAuth 2.0 that defines how a holder presents verifiable credentials from their wallet to a verifier in a standardized, privacy-preserving way.

• Authentication

  Passkeys

  A passkey is a FIDO2 and WebAuthn credential, a public and private key pair bound to a specific website, that signs in a user without a password and without any shared secret stored on the server.

• Authentication

  Passwordless Authentication

  Passwordless authentication verifies a user without a stored password, using factors such as passkeys, security keys, biometrics, or one-time links and codes instead.

• Regulation

  PCI DSS

  PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for organizations that store, process, or transmit payment card data, covering access controls, encryption, monitoring, and vulnerability management.

• Authentication

  Phishing-Resistant Authentication

  Phishing-resistant authentication refers to authentication methods that are structurally immune to phishing attacks because the credential is bound to the legitimate origin and cannot be replayed on a fake site.

• Authorization

  PKCE

  PKCE is an extension to the OAuth 2.0 authorization code flow that protects against interception of the authorization code, and is the recommended pattern for public clients such as mobile and single-page apps.

• Growth

  Preference Management

  Preference management is the practice of giving users control over their communication channels, content topics, and data-sharing choices through a centralized interface, typically called a preference center.

• Identity Proofing

  Presentation Attack Detection (PAD)

  Presentation attack detection is the set of techniques that determine whether a biometric sample comes from a live, present person rather than a spoof such as a photo, mask, replay, or deepfake.

• Privacy

  Privacy by Design

  Privacy by Design is an approach that embeds data protection into the architecture and operations of systems from the outset, rather than treating it as an afterthought or a compliance layer added later.

• Growth

  Progressive Profiling

  Progressive profiling is the practice of collecting a customer's information gradually across multiple interactions, rather than asking for everything at sign-up, to reduce friction and improve data quality.

• Authentication

  Progressive Trust

  Progressive trust is the practice of starting a customer relationship at low friction and low assurance, then raising assurance step by step as the value or risk of what the customer does increases.

• Regulation

  PSD2

  PSD2 is the European Union directive on payment services that mandates strong customer authentication for electronic payments and opens bank account access to licensed third parties with the customer's consent.

• Privacy

  Pseudonymization

  Pseudonymization is a data processing technique that replaces directly identifying information with artificial identifiers, so that the data can no longer be attributed to a specific person without access to separately held additional information.

• Authorization

  Pushed Authorization Requests (PAR)

  Pushed Authorization Requests (PAR) is an OAuth 2.0 extension that lets a client send the authorization request parameters directly to the server over a back channel before redirecting the user, improving security and reducing exposure of request data.

• Authorization

  Refresh Token

  A refresh token is a long-lived credential an application uses to obtain new access tokens without making the user sign in again, letting access tokens stay short-lived for security.

• Fundamentals

  Relying Party

  A relying party (RP) is an application or service that outsources user authentication to an identity provider and relies on the token or assertion it receives to grant access, rather than verifying credentials itself.

• Privacy

  Right to Be Forgotten

  The right to be forgotten, formally the right to erasure, is a data subject right under the GDPR that allows individuals to request the deletion of their personal data when it is no longer necessary or when they withdraw consent.

• Authorization

  Role-Based Access Control (RBAC)

  Role-based access control grants permissions to roles rather than directly to users, so a person gets access by being assigned a role that bundles the permissions for a job or function.

• Authentication

  SAML 2.0

  SAML 2.0 is an XML-based standard for exchanging authentication and authorization assertions between an identity provider and a service provider, most often used for enterprise single sign-on.

• Provisioning

  SCIM

  SCIM is a standard REST API and schema for automatically creating, updating, and deactivating user accounts across systems, so that identity data stays in sync without manual work.

• Verification

  Self-Sovereign Identity (SSI)

  Self-sovereign identity is a model where individuals hold and control their own identity data in a personal wallet and present cryptographically verifiable proofs directly, without a central provider mediating every interaction.

• Authentication

  Session Management

  Session management is how a system keeps a user authenticated after login, issuing and tracking a session token, deciding how long it lasts, and ending it securely on logout or timeout.

• Fraud

  SIM Swap

  A SIM swap is a fraud technique in which an attacker convinces a mobile carrier to transfer a victim's phone number to a new SIM card, allowing the attacker to intercept calls and SMS messages, including one-time passwords.

• Growth

  Single Customer View

  A single customer view is a consolidated, unified representation of all data an organization holds about one customer, aggregated from every system and interaction channel into one profile.

• Authentication

  Single Logout (SLO)

  Single Logout (SLO) is a mechanism that terminates a user's sessions across all applications and the identity provider in a single action, the inverse of single sign-on.

• Authentication

  Single Sign-On (SSO)

  Single sign-on lets a user authenticate once and then access multiple applications without logging in again, by sharing a trusted session across those applications.

• Authentication

  Social Login

  Social login lets a user sign in to an application with an existing account from a provider such as Google, Apple, or Facebook, instead of creating and remembering a new password.

• Authentication

  Step-Up Authentication

  Step-up authentication asks a user for a stronger or additional proof of identity at the moment they attempt a sensitive action, even if they are already signed in.

• Authorization

  Token Exchange

  Token exchange is an OAuth 2.0 extension that lets a client trade one security token for another, enabling delegation and impersonation scenarios where a service acts on a user's behalf across trust boundaries.

• Authorization

  Token Introspection

  Token introspection is an OAuth 2.0 protocol that allows a resource server to query the authorization server to determine whether an access or refresh token is currently active and to retrieve its metadata.

• Authorization

  Token Revocation

  Token revocation is an OAuth 2.0 protocol that allows a client to notify the authorization server that an access token or refresh token is no longer needed and should be invalidated.

• Authorization

  User-Managed Access (UMA)

  User-Managed Access is an OAuth-based standard that lets a person set policies for who can access their resources and data, enabling user-driven sharing and delegation rather than per-application consent alone.

• Authentication

  UserInfo Endpoint

  The UserInfo endpoint is an OpenID Connect protected resource that returns claims about an authenticated user when presented with a valid access token.

• Decentralized Identity

  Verifiable Credential (VC)

  A verifiable credential is a tamper-evident digital claim, cryptographically signed by an issuer and held by the subject, that a verifier can check without contacting the issuer.

• Verification

  Verifiable Credentials (VC)

  A verifiable credential is a tamper-evident, cryptographically signed digital claim that a holder can present to prove an attribute about themselves, following the W3C Verifiable Credentials data model.

• Authentication

  WebAuthn

  WebAuthn is the W3C browser standard that lets web applications register and authenticate users with public-key credentials held in a device authenticator, forming the web half of FIDO2.

• Security

  Zero Trust

  Zero trust is a security model that treats no user, device, or network as inherently trusted, requiring every request to be authenticated, authorized, and continuously evaluated based on identity and context.