What is an Authenticator in WebAuthn?
Vincent
Created: October 29, 2023
Updated: April 23, 2025
What is an Authenticator?#
An authenticator is a cryptographically backed device responsible for creating and securely storing WebAuthn user credentials for an application. Here are its core functionalities:
- Creates public-private-key pairs in WebAuthn / passkey authentication.
- Manages the private key and uses them for signing authentication requests.
- Comes in two main types: platform authenticator and roaming authenticator.
- Uses biometrics, PINs, or other methods for user authentication.
Key Takeaways#
- An authenticator is a device that manages private keys for user application credentials.
- Platform authenticators are device-specific like Apple's Touch ID / Face ID or Microsoft's Windows Hello.
- Roaming authenticators are external devices like hardware security keys (e.g. YubiKeys) used across various client devices
Understanding Authenticators in Depth#
Authenticators, at their core, offer a shield of security to web and native applications, ensuring the right user accesses the right data. Let's break down the types:
Platform Authenticator (Internal Authenticator):#
- Bound to Specific Devices: Each major tech company has its version: Apple’s Touch ID and Face ID, Microsoft’s Windows Hello, and Google’s Android biometric features.
- Trusted Platform Module (TPM): A built-in cryptographic element, TPM manages public and private keys. It typically uses a device's biometric capability, such as face or fingerprint scanners, for authenticating users. However, other methods like PINs in Windows Hello or lock-screen patterns in Android smartphones are also prevalent.
Roaming Authenticators (Cross-platform Authenticators):#
- Portable and Versatile: These are external devices that can be used with different client devices, like laptops or smartphones. They can connect using USB, NFC, or Bluetooth.
- Varieties: The most common form are hardware security keys, such as YubiKeys. Some even have fingerprint scanners, while others may require a simple button press.
Authenticator FAQs#
What is the primary function of an authenticator?#
An authenticator is a cryptographically supported device used for creating and securely storing user credentials for an application. Its primary function is to create public-private-key pairs, manage the private key and utilize it for signing authentication requests.
How do platform authenticators differ from roaming authenticators?#
Platform authenticators are device-specific, like Apple's Touch ID / Face ID, and are bound to a particular device. In contrast, roaming authenticators are external, portable devices, such as security keys, that can be used across different client devices.
Can roaming authenticators be used for sharing passkeys?#
Roaming authenticators should not be mistaken for passkey sharing capabilities like QR code scanning, Bluetooth, or AirDrop. They serve different purposes in the realm of user authentication.
Share this article
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
