Skip to main content

Platform vs. roaming authenticators

Authenticators are cryptographically backed hardware or software devices used to create credentials for a relying party on behalf of a user. As credentials consist of a public/private key pair, authenticators also act as a secure store for the private key. This private key never leaves the authenticator and is used during authentication to sign authentication requests - a process called "assertion".

They can also:

Authenticator attachment modalities#

Authenticators can be categorized into two types depending on how they are attached to a client device:

  • Platform authenticators (also internal authenticators): platform authenticators are bound to a specific device. An Android smartphone, a Windows 10 device using Windows Hello or an Apple device with Touch ID or Face ID capabilities can serve as a platform authenticator. They make use of built-in cryptographic hardware elements (e.g. a TPM) that manage public and private key material and typically leverage biometric device capabilities through a built-in camera or fingerprint reader as a means for identifying users and asserting proof of possession of a credential (although biometrics are not a requirement: Windows Hello for example also allows using a PIN).

  • Roaming authenticators (also cross-platform authenticators): roaming authenticators are external, portable devices not bound to any one specific device. They can attach to a client device using different transports, including USB, NFC or Bluetooth. Security keys are an example of a roaming authenticator. Security key models can differ regarding their supported transport mechanisms, and their security characteristics: some models are capable of providing user verification (e.g. through a built-in fingerprint reader, or a capacitive touch sensor plus a PIN unlock) while others only allow for ensuring user presence (e.g. through a simple button press on the authenticator).

note

A compelling reason for using platform authenticators is their ubiquitousness: most modern end user devices nowadays can serve as platform authenticators such that additional hardware devices like security keys are not strictly necessary.

Nonetheless, a good practice is to use a cross-platform authenticator (i.e. a hardware security key) when creating an account or registering a credential with a relying party for the first time. Later, the user can optionally register a platform authenticator to perform authentication for the account.

Registering multiple authenticators not only facilitates account recovery but helps "bootstrapping" secondary devices: if a platform authenticator device is unavailable, the security key can be used to first authenticate with the relying party. Once authenticated, the user can then register the secondary device as a platform authenticator.

Requesting an authenticator type with the Hanko API#

When initializing a registration with the Hanko API, the preferred authenticator attachment type can be set in the request body using the options.authenticatorSelection.authenticatorAttachment attribute.

When initializing an authentication the attachment type can be set in the request body using the options.authenticatorAttachment attribute.

Possible values are:

  • platform: indicates that the authenticator should be a platform authenticator.

  • cross-platform: indicates that the authenticator should be a roaming authenticator.

Request platform authenticator on registration initialization - /v1/webauthn/registration/initialize
{
"options": {
"authenticatorSelection": {
"userVerification": "required",
"authenticatorAttachment": "platform",
"requireResidentKey": false
},
"attestation": "none"
},
"user": {
"id": "e3be22a7-13cf-4235-a09c-380dfd44ac04",
"name": "john.doe@example.com",
"displayName": "John Doe"
}
}
note

If no authenticatorAttachment was set during registration, then a credential will only be available when no authenticatorAttachment is set during authentication.