What is a Platform Authenticator in WebAuthn?

A Platform Authenticator is an integrated component within a device that manages cryptographic operations and securely stores credentials. It uses a device's inherent features, like biometric sensors to authenticate users. Examples include Apple's Touch ID and Face ID, Windows Hello, and Android's biometric capabilities. Unlike cross-platform (roaming) authenticators, platform authenticators are device-specific, offering a convenient and secure method for user authentication without the need for external devices.

---

Platform Authenticators represent a significant advancement in digital security, merging convenience with robust security measures to protect user identities and access. Here’s why they’re important in today’s digital ecosystem:

• Trusted Platform Module (TPM) / Secure Enclave / Trusted Execution Environment (TEE): A critical component in platform authenticators, TPM / Secure Enclaves / TEE securely generates and stores cryptographic keys, ensuring the device alone can authenticate the user. Which component is used depends on the operating system. Windows uses Trusted Platform Modules (TPM), while iOS and macOS make use of Secure Enclaves and Android uses Trusted Execution Environments (TEE).
• Biometric Authentication: By leveraging biometric data such as fingerprints or facial recognition, platform authenticators offer a highly secure and personal method of verification.

• Seamless User Experience: Authentication occurs directly on the device, streamlining the login process without compromising security (no additional device is needed).
• Widespread Adoption: Major tech platforms have integrated these platform authenticators, making secure access more accessible across various services and applications. Most people already unlock their personal devices with biometrics, so it’s a common pattern that platform authenticators rely on.

While platform authenticators are tied to a specific device, cross-platform (roaming) authenticators are portable, external devices used across multiple platforms. Here are some key differences:

• Device Specificity: Platform authenticators can only authenticate the user on the device they are integrated with, whereas roaming authenticators can be used with any compatible device.
• User Experience: Platform authenticators provide a more integrated and often smoother user experience, while roaming authenticators offer flexibility and portability.

For developers and organizations, supporting platform authenticators involves:

• WebAuthn API Integration: Implementing the WebAuthn API allows websites and applications to interact with the authenticator on the user's device.
• Security Considerations: Ensuring that biometric data and cryptographic keys are securely handled and stored within the device’s TPM / Secure Enclave / TEE (this is usually handled by the operating system and the respective APIs).

---

• No, platform authenticators are bound to a specific device, such as a smartphone or laptop, and utilize that device's built-in security features, like biometric scanners, for authentication. They cannot be transferred or used across multiple devices. However, a credential can be synced and verified on different devices (e.g. you cannot use the fingerprint from your macOS device on an iPhone with Face ID but the synced credential you use for authentication might be the same).

• Platform authenticators are considered highly secure due to their use of a Trusted Platform Module (TPM) / Secure Enclave / Trusted Execution Environment (TEE) for key management and their integration with the device's hardware, making the keys non-exportable and protected against phishing and other cyber attacks. The use of biometrics or PINs for user verification further enhances security.

• Most modern devices from major manufacturers like Apple, Microsoft, and Google support platform authenticators through features like Touch ID, Face ID, or Windows Hello. Check your device's security settings or documentation to confirm support for these features.

• While biometrics like fingerprints or facial recognition provide a convenient and secure method for user verification, they are not strictly required for a platform authenticator to function. Alternatives such as PINs or patterns can also be used, depending on the device's capabilities.