Authenticators are cryptographically backed hardware or software devices used to create credentials for a relying party on behalf of a user. As credentials consist of a public/private key pair, authenticators also act as a secure store for the private key. This private key never leaves the authenticator and is used during authentication to sign authentication requests - a process called "assertion".
They can also:
- provide information about their type and security characteristics via attestation during registration (see also Authenticator trust model) or
- verify the user during registration or authentication (see also User verification vs. user presence)
Authenticators can be categorized into two types depending on how they are attached to a client device:
Platform authenticators (also internal authenticators): platform authenticators are bound to a specific device. An Android smartphone, a Windows 10 device using Windows Hello or an Apple device with Touch ID or Face ID capabilities can serve as a platform authenticator. They make use of built-in cryptographic hardware elements (e.g. a TPM) that manage public and private key material and typically leverage biometric device capabilities through a built-in camera or fingerprint reader as a means for identifying users and asserting proof of possession of a credential (although biometrics are not a requirement: Windows Hello for example also allows using a PIN).
Roaming authenticators (also cross-platform authenticators): roaming authenticators are external, portable devices not bound to any one specific device. They can attach to a client device using different transports, including USB, NFC or Bluetooth. Security keys are an example of a roaming authenticator. Security key models can differ regarding their supported transport mechanisms, and their security characteristics: some models are capable of providing user verification (e.g. through a built-in fingerprint reader, or a capacitive touch sensor plus a PIN unlock) while others only allow for ensuring user presence (e.g. through a simple button press on the authenticator).
A compelling reason for using platform authenticators is their ubiquitousness: most modern end user devices nowadays can serve as platform authenticators such that additional hardware devices like security keys are not strictly necessary.
Nonetheless, a good practice is to use a cross-platform authenticator (i.e. a hardware security key) when creating an account or registering a credential with a relying party for the first time. Later, the user can optionally register a platform authenticator to perform authentication for the account.
Registering multiple authenticators not only facilitates account recovery but helps "bootstrapping" secondary devices: if a platform authenticator device is unavailable, the security key can be used to first authenticate with the relying party. Once authenticated, the user can then register the secondary device as a platform authenticator.
initializing a registration with the Hanko API, the preferred authenticator attachment type can be set in the
request body using the
initializing an authentication the attachment type can be set in the request body using the
Possible values are:
platform: indicates that the authenticator should be a platform authenticator.
cross-platform: indicates that the authenticator should be a roaming authenticator.
authenticatorAttachment was set during registration, then a credential will only be available when no
authenticatorAttachment is set during authentication.