Term · 4. Identification & Authentication

Login

IDM/IGA Domain

AuthN Vendor ISO/IEC NIST OWASP Introduced by: Big4 (Deloitte / PwC / EY / KPMG)

Definition

Common term for the user-facing authentication interaction — entering credentials at a sign-in form. Modern patterns: passwordless (FIDO2, passkeys), SSO-redirect (no credential entry on the application), magic links, QR code login. UX-critical: friction in login is a major cause of customer abandonment (40-60% drop-off in CIAM).

Application: Standards: OIDC, SAML browser flows, WebAuthn, FIDO2 CTAP. Best practices: no password reset emails (use passkeys), short input fields, clear error messages without information disclosure, MFA enforcement via adaptive policies.

Standards & regulations

OASIS Secure QR Code Authentication Version 1.0 «This document describes the use of QR Codes and a mobile phone as a replacement for a username and password in user login authentication.»
NIST SP 800-63B «This document, SP 800-63B, provides requirements to credential service providers (CSPs) for remote user authentication at each of three authentication assurance levels. It also provides guidelines for»
NIST SP 800-63-3 «The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government information systems over open networks.»
W3C Web Authentication: An API for accessing Public Key Credentials Level 2 «This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.»

Related terms

← Back to glossary · Open in main list