| Term | Definition |
| ACA | Access Control Applet - manages PIN and other authentication methods. |
| ACR | Access Control Rule - logical combination of authentication methods. |
| AES | Advanced Encryption Standard. A symmetric key encryption algorithm established by the U.S. National Institute of Standards and Technology (NIST). |
| AID | Application Identifier identifies an application in a smart card in accordance with ISO/IEC 7816. |
| APDU | Application Protocol Data Unit - messages between the token and the application. |
| Applet | A small, subordinate application on the token designed to perform specific tasks. |
| ATR | An Answer To Reset - message output by a contact Smart Card conforming to ISO/IEC 7816 standards, following electrical reset of the card's chip by a card reader. |
| BER-TLV | Basic Encoding Rules - Type/Tags Length Value. Format for encoding information under types/tags. |
| CBOR | Concise Binary Object Representation (CBOR) - data format used in CTAP communication. See documentation. |
| Challenge | Random number generated by the server API for authentication of a user in the asynchronous (challenge/response) mode. |
| CTAP | Client to Authenticator Protocol - used for FIDO authentication standard. |
| CUID | Card Unique Identifier - a unique identifier for a smart card, typically used to identify the card and its associated applications. |
| ECC | Elliptic curve cryptography. A cryptography approach for public key encryption using the mathematics of elliptic curves that allows smaller keys to provide equivalent security, compared to other cryptosystems such as RSA. |
| FIDO | Fast IDentity Online. A security standard used for online authentication, based on a cryptographic key pair unique to each online service. For more information visit official documentation. |
| HMAC | Hash-Based Message Authentication Code. Message authentication code that uses a cryptographic key in conjunction with a hash function. |
| HOTP | HMAC-Based One-Time Password. A type of one-time password that is algorithmically generated using HMAC and a counter that increases every time a new OTP is generated, providing a dynamic passcode each time it is required. |
| OATH | Initiative for Open Authentication. |
| OCRA | OATH (Initiative for Open Authentication) Challenge-Response Algorithm. |
| OCRA suite | A configuration string used in OATH Challenge-Response Authentication (OCRA) that defines the parameters for generating one-time passwords. |
| OID | Object identifier. Globally unique identifiers standardized by the International Telecommunication Union. OIDs are represented as a series of numbers separated by dots (e.g., 2.5.29.37). |
| OTP | One-Time Password. A password that is valid for only one login session or transaction, used to provide an additional layer of security. |
| PIN | Personal Identification Number. A numeric or alphanumeric code used to authenticate a user to a system, typically known only to the user and the system. |
| PUK | PIN Unblock Key. A code used to reset the personal identification number (PIN) in devices after they have been locked due to multiple incorrect PIN entries. |
| PIV | Personal Identity Verification is a United States federal standard for secure and reliable forms of identification issued by the government to federal employees and contractors. |
| PKI | Public Key Infrastructure. A framework that enables secure, electronic identities through the use of public key cryptography, including the creation, distribution, and management of digital certificates. |
| PSKC | Portable Symmetric Key Container. An extensible markup language (XML) format defined by the OASIS standard that is used for transporting and provisioning symmetric keys to different types of devices. |
| PSKC file | File used to securely transport and provision symmetric keys to cryptographic devices or software, following the Portable Symmetric Key Container (PSKC) format. |
| RSA | Rivest–Shamir–Adleman - asymmetric cryptographic algorithm. Usually identified with a number describing the key size, e.g. RSA2048 or RSA4096. |
| SKI | Secure Key Injection is a FIPS certification-compliant protocol that ensures data protection when importing private keys, OTP secrets, and management keys. |
| SKI Transport Key | RSA-3072 key uniquely bound to a specific token, used to securely transfer data to that token in compliance with the Secure Key Injection protocol. |
| TDES | Triple Data Encryption Standard. An encryption algorithm that uses three separate keys for encryption, providing a higher level of security than its predecessor, the Data Encryption Standard (DES). |
| Token | A physical device, such as a smart card or USB key, that securely stores certificates, cryptographic keys and credentials used for authentication, digital signing, and encryption tasks. |
| TOTP | Time-Based One-Time Password. A variant of the one-time password (OTP) that uses a representation of the current time as a moving factor to ensure that each OTP is unique and valid only for a short period of time. |
| XAUTH | A cryptographic key used to control and manage secure operations on a smart device, such as configuring, updating, or modifying sensitive data using external authentication - challenge/response algorithm. |
1.9.8