Glossary

Authentication & Verification Glossary

Plain-language definitions for the OTP, 2FA, passkey, fraud, and bot-defense terms that shape modern authentication. 76 terms and counting, searchable and organized by topic.

Authentication Fundamentals

Authentication

The process of verifying that a user, device, or system is who or what it claims to be before granting access. Authentication answers the question "who are you?", typically by checking something the user knows (a password), has (a phone or passkey), or is (a fingerprint).

Authorization

The process of determining what an authenticated user is allowed to do. Where authentication confirms identity, authorization governs permissions, which resources, actions, or data the verified user can access.

Identity Verification

Confirming that a person is who they claim to be, often during onboarding or a high-risk action. It can range from a simple phone-number check via a one-time password (OTP) to document and biometric verification.

Two-Factor Authentication (2FA)

A security method that requires two distinct proofs of identity from different categories, for example a password (something you know) plus a one-time code sent to your phone (something you have). 2FA dramatically reduces account-takeover risk because a stolen password alone is not enough to log in.

Multi-Factor Authentication (MFA)

Authentication that requires two or more independent factors from different categories, knowledge, possession, or inherence. MFA is the broader term that includes 2FA, and adding factors makes credential theft far less useful to an attacker.

Single Sign-On (SSO)

A scheme that lets a user authenticate once and gain access to multiple applications without logging in again to each one. SSO improves user experience and centralizes identity control, often using protocols like SAML or OpenID Connect.

Step-Up Authentication

Requesting an additional, stronger proof of identity only when a user attempts a sensitive action, such as transferring money or changing security settings. Step-up keeps routine flows frictionless while protecting high-risk moments.

Adaptive (Risk-Based) Authentication

Authentication that adjusts the level of verification based on real-time risk signals such as device, location, IP reputation, and behavior. Low-risk logins pass through quietly while anomalous attempts trigger extra challenges like an OTP or CAPTCHA.

Knowledge-Based Authentication (KBA)

A method that verifies identity by asking questions only the legitimate user should be able to answer, such as a previous address or security question. KBA is increasingly considered weak because much of this information can be found or guessed.

OTP & Verification Codes

One-Time Password (OTP)

A short numeric or alphanumeric code that is valid for a single login or transaction and expires after a short window. OTPs are the most common second factor because they are easy for users and worthless to an attacker once used or expired.

Time-Based One-Time Password (TOTP)

An OTP algorithm (RFC 6238) that generates a code from a shared secret and the current time, refreshing every 30 seconds. TOTP powers authenticator apps like Google Authenticator and works entirely offline, with no SMS or network delivery required.

HMAC-Based One-Time Password (HOTP)

An OTP algorithm (RFC 4226) that derives each code from a shared secret and an incrementing counter rather than the clock. HOTP is the event-based counterpart to TOTP and underlies many hardware tokens.

Verification Code

A code sent to a user's phone or email that they enter to confirm ownership of that contact channel. It is the user-facing term for an OTP used during sign-up, login, or transaction confirmation.

OTP Expiry (TTL)

The time-to-live window during which a one-time password remains valid before it is automatically invalidated. Short expiry windows limit the chance that an intercepted code can be replayed by an attacker.

Resend & Retry Logic

The rules governing how often a user can request a new OTP and how many wrong attempts are allowed before lockout. Well-designed retry logic balances usability with protection against brute-force and SMS-pumping abuse.

Delivery Channels

SMS OTP

A one-time password delivered as a text message to the user's mobile number. SMS OTP has the widest reach of any channel but is the most expensive and the most vulnerable to SIM-swap and interception attacks.

WhatsApp OTP

A verification code delivered through the WhatsApp Business Platform instead of SMS. WhatsApp OTP is typically cheaper and more reliable than SMS in many markets, supports rich templates, and confirms delivery. Akedly is an official Verified Meta Tech Provider and routes OTPs over WhatsApp, Telegram & SMS.

Telegram OTP

A one-time password sent through Telegram via a bot or the Gateway API. Telegram delivery is fast and low-cost for users active on the platform, making it a strong fallback or primary channel alongside WhatsApp and SMS.

Email OTP

A verification code or magic link delivered to a user's email address. Email is universally available and inexpensive but slower and weaker than phone-based channels, since email accounts are themselves a common takeover target.

Voice OTP

A one-time password delivered by an automated phone call that reads the code aloud. Voice OTP serves users on landlines or in areas with poor SMS deliverability and acts as an accessibility-friendly fallback.

Flash Call Verification

A verification method where a missed call is placed to the user's number and the last digits of the calling number serve as the code, often auto-detected by the app. Flash calls are cheaper than SMS and create a near-frictionless experience.

Fallback Channel

A secondary delivery route automatically used when the primary channel fails to deliver an OTP in time. A Multi-channel fallback stack such as WhatsAppTelegram → SMS maximizes delivery rates while controlling cost, a core part of how Akedly guarantees reliability & high deliverability.

Sender ID

The name or number that appears as the origin of a verification message. A registered, branded Sender ID improves trust and deliverability and helps users distinguish legitimate codes from phishing.

Number Lookup (HLR)

A query against carrier databases (the Home Location Register) to check whether a phone number is valid, active, and reachable, and which carrier serves it. Number lookup reduces wasted sends and helps detect risky or fraudulent numbers before delivery.

Passkeys & Modern Auth

WebAuthn

A W3C web standard and browser API that lets websites register and authenticate users with public-key credentials such as passkeys and security keys. WebAuthn is the part of FIDO2 that runs in the browser.

Biometric Authentication

Verifying identity using a physical trait such as a fingerprint, face, or voice. Biometrics provide the "something you are" factor and are commonly used locally on a device to unlock passkeys rather than being transmitted to a server.

Public-Key Cryptography

A cryptographic system that uses a mathematically linked key pair: a public key that can be shared and a private key kept secret. It underpins passkeys, TLS, and digital signatures, allowing identity to be proven without ever transmitting a reusable secret.

Fraud & Attacks

Account Takeover (ATO)

An attack in which a criminal gains unauthorized control of a legitimate user's account, typically using stolen credentials. Strong MFA and OTP verification are the primary defenses against ATO.

Credential Stuffing

An automated attack that tries username-and-password pairs leaked from one breach against many other sites, exploiting password reuse. Rate limiting, bot detection, and MFA are essential countermeasures.

Brute-Force Attack

An attack that systematically tries many passwords or codes until the correct one is found. Short OTP expiry, attempt limits, and rate limiting make brute-forcing impractical.

Phishing

A social-engineering attack that tricks users into revealing credentials or OTPs through fake messages, sites, or calls. Passkeys and phishing-resistant authentication defeat phishing because there is no reusable secret to hand over.

SIM-Swap Attack

Fraud in which an attacker convinces a mobile carrier to port a victim's phone number to a SIM they control, intercepting SMS OTPs. SIM-swap risk is a key reason to prefer app-based or messaging-channel verification over SMS for high-value accounts.

OTP Interception

Any technique that captures a one-time password in transit, through malware, SS7 network flaws, SIM swaps, or real-time phishing. Short expiry windows and phishing-resistant methods limit the value of an intercepted code.

SMS Pumping (AIT)

Artificially Inflated Traffic fraud in which attackers trigger huge volumes of OTP SMS to premium-rate numbers they profit from, running up a business's messaging bill. Rate limiting, number lookup, and channel routing away from SMS are core defenses.

Man-in-the-Middle (MITM)

An attack where the adversary secretly relays and possibly alters communication between two parties who believe they are talking directly. TLS encryption and phishing-resistant authentication protect against MITM interception of credentials and codes.

Replay Attack

An attack that captures a valid authentication message, such as an OTP or token, and resends it to gain access. One-time use, nonces, and short expiry windows make replays ineffective.

Smishing

Phishing carried out over SMS, where fraudulent texts lure users into clicking malicious links or revealing codes. Branded Sender IDs and user education reduce the success of smishing campaigns.

Vishing

Voice phishing, in which attackers use phone calls to manipulate victims into disclosing credentials, OTPs, or financial details. Vishing often impersonates banks or support agents and pairs with other fraud such as SIM swaps.

Bot Defense & Rate Limiting

CAPTCHA

A challenge designed to distinguish humans from automated bots, "Completely Automated Public Turing test to tell Computers and Humans Apart." CAPTCHAs guard sign-up, login, and OTP-request endpoints from automated abuse.

Cloudflare Turnstile

A privacy-friendly CAPTCHA alternative from Cloudflare that verifies users are human in the background, usually without puzzles. Turnstile uses lightweight challenges and behavioral signals to block bots while minimizing user friction.

Proof of Work (PoW)

A challenge that requires a client's device to spend measurable computational effort before a request is accepted. Proof-of-work CAPTCHAs make mass automated abuse expensive at scale while remaining invisible to ordinary users.

Invisible CAPTCHA

Bot detection that scores users from behavioral and device signals without presenting a visible puzzle. Only suspicious sessions are challenged, keeping the experience smooth for legitimate users.

Rate Limiting

Restricting how many requests a user, IP, or device can make in a given time window. Rate limiting protects authentication and OTP endpoints from brute-force, credential stuffing, and SMS-pumping abuse.

Device Fingerprinting

Building a stable identifier for a device from attributes such as browser, OS, screen, and network characteristics. Fingerprinting helps detect bots, recognize returning users, and flag anomalous logins for step-up verification.

Bot Detection

The practice of identifying automated, non-human traffic using behavioral analysis, fingerprinting, and reputation signals. Effective bot detection stops abuse before it reaches expensive operations like sending an OTP.

Honeypot

A decoy field or endpoint invisible to humans but tempting to bots; any interaction with it reveals automation. Honeypots are a low-friction way to catch simple bots without challenging real users.

Velocity Checks

Monitoring the speed and frequency of actions, such as OTP requests or logins from one identity, device, or IP, to spot abnormal bursts. Velocity rules complement rate limiting by catching distributed and coordinated abuse.

IP Reputation

A risk score for an IP address based on its history of abuse, association with proxies or data centers, and threat-intelligence feeds. Low-reputation traffic can be blocked or challenged before triggering costly verification.

Cryptography & Security

Encryption

Transforming data into an unreadable form that can only be reversed with the correct key, protecting it in transit and at rest. Encryption keeps OTPs, credentials, and personal data confidential against interception.

Hashing

A one-way function that converts data into a fixed-length digest that cannot be reversed. Passwords are stored as hashes so that a database breach does not expose the original secrets.

Salting

Adding a unique random value to each password before hashing so that identical passwords produce different hashes. Salting defeats precomputed lookup (rainbow-table) attacks against stored credentials.

HMAC

A Hash-based Message Authentication Code that combines a secret key with a hash function to verify both the integrity and authenticity of a message. HMAC is the cryptographic core of HOTP and TOTP one-time passwords.

JSON Web Token (JWT)

A compact, signed token format that carries claims about a user between parties and can be verified without a database lookup. JWTs are widely used to represent authenticated sessions and authorization scopes in APIs.

Session Management

How an application creates, maintains, and expires the authenticated state of a user after login. Secure session management, short lifetimes, rotation, and revocation, limits the damage of stolen tokens.

Nonce

A "number used once", a unique value included in a request or token to guarantee freshness. Nonces prevent replay attacks by ensuring each authentication message can only be accepted a single time.

Zero Trust

A security model that trusts no user or device by default, verifying every request regardless of network location. Zero Trust leans heavily on continuous authentication, MFA, and least-privilege authorization.

Developer & Integration

RESTful API

An application programming interface that follows REST conventions, using standard HTTP methods and JSON to expose resources. Akedly's RESTful API lets developers create and verify authentication requests with a few simple, well-documented calls.

API Key

A secret token that identifies and authenticates an application calling an API. API keys should be kept server-side, scoped to least privilege, and rotated periodically to limit exposure.

Webhook

An HTTP callback that pushes real-time events from a service to your application, for example notifying your backend when a verification succeeds or fails. Webhooks let you react to authentication events without polling.

SDK

A Software Development Kit, a packaged library that wraps an API in idiomatic code for a given language or platform. Akedly ships SDKs (such as npm and Flutter packages) so teams can add OTP verification in minutes.

Authentication Widget

A prebuilt, drop-in UI component that handles the full verification flow, collecting the contact, sending the OTP, and confirming the code. Akedly's widget lets businesses add secure authentication without building or maintaining the front-end logic themselves.

iFrame

An inline frame that embeds one web page inside another. Authentication widgets are often delivered as an iframe so the verification UI and its security logic stay isolated from the host site while remaining easy to embed.

Verification Pipeline

A configured sequence of methods and fallback channels that an authentication request flows through until it succeeds. Pipelines let businesses optimize for cost, speed, and deliverability, for instance trying WhatsApp first and falling back to SMS.

Sandbox Environment

An isolated testing environment that mimics production without sending real messages or incurring charges. A sandbox lets developers build and test integrations safely before going live.

Pricing & Billing

Pay Per Message (PPM)

A billing model where you are charged for every OTP that is sent and delivered, regardless of whether the user goes on to authenticate. It is the standard model on Akedly's pay-as-you-go, annual, and bulk plans. On WhatsApp and Telegram you are charged when the code is delivered; SMS can't be tracked the same way, so it is charged on confirmed delivery.

Pay Per Successful Authentication (PPS)

An enterprise billing model where you are charged only when a user actually completes authentication, not per OTP or per attempt. Failed, undelivered, resent, and unused codes cost nothing: if a user requests ten OTPs and uses one, you pay for one; if they use none, you pay nothing. Eligibility depends on volume, a high success rate over consecutive months, and implementation of Akedly's most secure APIs.

Customer Acquisition Cost (CAC)

The total sales and marketing spend, ad campaigns, promotions, and other outreach, divided by the number of new customers it wins, i.e. what it costs to acquire one paying customer. When a failed or undelivered OTP blocks a user from finishing signup, that whole acquisition spend is wasted, which is how unreliable authentication quietly inflates CAC.

Compliance & Standards

GDPR

The General Data Protection Regulation, the EU law governing how personal data is collected, processed, and stored. GDPR shapes how authentication providers handle phone numbers, identifiers, and consent.

SOC 2

An auditing standard that evaluates a service organization's controls around security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report signals that a vendor handles customer data responsibly.

PCI DSS

The Payment Card Industry Data Security Standard, a set of requirements for organizations that handle cardholder data. Strong authentication and MFA are explicit PCI DSS requirements for protecting payment systems.

OWASP

The Open Worldwide Application Security Project, a nonprofit that publishes widely used security guidance such as the OWASP Top 10 list of web application risks. Its authentication and session-management recommendations are industry baselines.

Put These Concepts to Work

Akedly turns the authentication stack above into a few API calls, send OTPs over WhatsApp, Telegram, and SMS with smart multi-channel fallback.