Authenticator types

Learn about different passkey authenticator types

The WebAuthn standard supports two types of authenticator modalities: Platform and cross-platform authenticators.

Platform authenticators

Also referred to as internal authenticators, are sensors/input devices such as fingerprint scanners that are built directly into everyday devices. The goal of these authenticators is to provide seamless authentication on a single, specific device. A user registering their fingerprint on their smartphone will not necessarily be able to authenticate using the same fingerprint on their laptop. Platform authenticators must include:

  • A TPM module, which is a security chip that is capable of handling public and private keys.

  • Camera, biometric scanner, or other input device that allows a user to provide an additional factor to the authenticator. This input doesn’t necessarily need to be a biometric sensor - something like a PIN is an acceptable additional factor.

Platform authenticators provide seamless authentication for the device that it’s bound to, but struggles in scenarios where the user needs to authenticate into a device that they don’t frequently use. Hybrid flows help to mitigate this drawback, but may be constrained by device interoperability.

Cross platform authenticators

Also referred to as roaming authenticators, are bound to an external hardware device allowing them to be safely removed, and used across devices that support its connector type (USB, NFC, bluetooth). Cross platform devices allow a user to bootstrap new devices, where the act of authorizing a new workstation occurs when a user connects their authenticator. Should an authorized workstation be lost or corrupted, the authenticator is still capable of connecting to a new device to bootstrap the user’s account.