What is an Authenticator?#
An authenticator is a cryptographically backed device responsible for creating and
securely storing WebAuthn user credentials
for an application. Here are its core functionalities:
- Creates public-private-key pairs in
WebAuthn /
passkey authentication.
- Manages the private key and uses them for signing authentication requests.
- Comes in two main types: platform authenticator and
roaming authenticator.
- Uses biometrics, PINs, or other methods for user authentication.
Become part of our Passkeys Community for updates & support.
Join
Key Takeaways#
- An authenticator is a device that manages private keys for user application credentials.
- Platform authenticators are device-specific like Apple's Touch ID / Face ID or
Microsoft's Windows Hello.
- Roaming authenticators are external devices like
hardware security keys (e.g.
YubiKeys) used across various client devices
Understanding Authenticators in Depth#
Authenticators, at their core, offer a shield of security to web and native applications,
ensuring the right user accesses the right data. Let's break down the types:
- Bound to Specific Devices: Each major tech company has its version: Apple’s Touch ID
and Face ID,
Microsoft’s Windows Hello,
and Google’s Android biometric features.
- Trusted Platform Module
(TPM): A built-in
cryptographic element, TPM manages public and private keys. It typically uses a device's
biometric capability, such as face or fingerprint scanners, for authenticating users.
However, other methods like PINs in Windows Hello or
lock-screen patterns in Android smartphones are
also prevalent.
- Portable and Versatile: These are external devices that can be used with different
client devices, like laptops or smartphones. They can connect using USB, NFC, or
Bluetooth.
- Varieties: The most common form are
hardware security keys, such as
YubiKeys. Some even have fingerprint scanners, while others may
require a simple button press.
Subscribe to our Passkeys Substack for the latest news.
Subscribe
Authenticator FAQs#
What is the primary function of an authenticator?#
An authenticator is a cryptographically supported device used for creating and securely
storing user credentials for an application. Its primary function is to create
public-private-key pairs, manage the private key and utilize it for signing authentication
requests.
Platform authenticators are device-specific, like Apple's Touch ID / Face ID, and are
bound to a particular device. In contrast, roaming authenticators are external, portable
devices, such as security keys, that can be used across different client devices.
Can roaming authenticators be used for sharing passkeys?#
Roaming authenticators should not be mistaken for
passkey sharing capabilities like
QR code scanning, Bluetooth, or
AirDrop. They serve different purposes in the realm
of user authentication.

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.
Start for free