AlexFilipin/terminology.csv

## terminology.csv

          
            Authentication Method
            Vulnerable to breach replay or password spray attacks?
            Vulnerable to phishing?
            Vulnerable to physical theft?
            All secrets sent over the network?
            Terminology suggestion

            
              Password alone
              Yes
              Yes
              N/A
              Yes
              TBD

            
              Password + OTP via email
              No
              Yes
              Yes, if device offers unsecured access to email
              Yes
              TBD

            
              Password + OTP via SMS
              No
              Yes
              Yes, if device offers unsecured access to SMS
              Yes
              TBD

            
              Password + OTP via soft stoken
              No
              Yes
              Yes, if device offers unsecured access to soft token
              Yes
              TBD

            
              Password + OTP via hard token
              No
              Yes
              Yes
              Yes
              TBD

            
              Password + Approval of push notification
              No
              Yes
              Yes, if device offers unsecured access to approve
              No, it uses public-key cryptography
              TBD

            
              Password + Smartcard
              No
              ?
              ?
              ?
              TBD

            
              Password + FIDO CTAP authenticator [U2F or FIDO2] (Remoable e.g. security key or built-in e.g. Windows Hello)
              No
              No, challenging origin is checked
              No, unlocking the authenticator requires PIN or biometrics by standard
              No, it uses public-key cryptography
              TBD

            
              Passwordless public-key cryptography [e.g. Microsoft Authenticator phone sign-in for MSA and AAD]
              No
              Yes
              No, unlocking the authenticator requires PIN or biometrics
              No, it uses public-key cryptography
              TBD

            
              Passwordless FIDO2 [e.g. Microsoft account sign-in using a security key or Windows Hello]
              No
              No, challenging origin is checked
              No, unlocking the authenticator requires PIN or biometrics by standard
              No, it uses public-key cryptography
              TBD
Authentication Method	Vulnerable to breach replay or password spray attacks?	Vulnerable to phishing?	Vulnerable to physical theft?	All secrets sent over the network?	Terminology suggestion
Password alone	Yes	Yes	N/A	Yes	TBD
Password + OTP via email	No	Yes	Yes, if device offers unsecured access to email	Yes	TBD
Password + OTP via SMS	No	Yes	Yes, if device offers unsecured access to SMS	Yes	TBD
Password + OTP via soft stoken	No	Yes	Yes, if device offers unsecured access to soft token	Yes	TBD
Password + OTP via hard token	No	Yes	Yes	Yes	TBD
Password + Approval of push notification	No	Yes	Yes, if device offers unsecured access to approve	No, it uses public-key cryptography	TBD
Password + Smartcard	No	?	?	?	TBD
Password + FIDO CTAP authenticator [U2F or FIDO2] (Remoable e.g. security key or built-in e.g. Windows Hello)	No	No, challenging origin is checked	No, unlocking the authenticator requires PIN or biometrics by standard	No, it uses public-key cryptography	TBD
Passwordless public-key cryptography [e.g. Microsoft Authenticator phone sign-in for MSA and AAD]	No	Yes	No, unlocking the authenticator requires PIN or biometrics	No, it uses public-key cryptography	TBD
Passwordless FIDO2 [e.g. Microsoft account sign-in using a security key or Windows Hello]	No	No, challenging origin is checked	No, unlocking the authenticator requires PIN or biometrics by standard	No, it uses public-key cryptography	TBD