An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.
Using the terminology of the NIST Digital Identity Guidelines, the party to be authenticated is called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates possession and control of one or more authenticators to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.
Authenticators may be characterized in terms of secrets, factors, and physical forms.
Every authenticator is associated with at least one secret that the claimant uses to demonstrate possession and control of the authenticator. Since an attacker could use this secret to impersonate the user, an authenticator secret must be protected from theft or loss.
The type of secret is an important characteristic of the authenticator. There are three basic types of authenticator secret: a memorized secret and two types of cryptographic keys, either a symmetric key or a private key.
A memorized secret is intended to be memorized by the user. A well-known example of a memorized secret is the common password, also called a passcode, a passphrase, or a personal identification number (PIN).
An authenticator secret known to both the claimant and the verifier is called a shared secret. For example, a memorized secret may or may not be shared. A symmetric key is shared by definition. A private key is not shared.
An important type of secret that is both memorized and shared is the password. In the special case of a password, the authenticator is the secret.
A cryptographic authenticator is one that uses a cryptographic key. Depending on the key material, a cryptographic authenticator may use symmetric-key cryptography or public-key cryptography. Both avoid memorized secrets, and in the case of public-key cryptography, there are no shared secrets as well, which is an important distinction.
Examples of cryptographic authenticators include OATH authenticators and FIDO authenticators. By way of counterexample, a password authenticator is not a cryptographic authenticator. See the #Examples section for details.
A symmetric key is a shared secret used to perform symmetric-key cryptography. The claimant stores their copy of the shared key in a dedicated hardware-based authenticator or a software-based authenticator implemented on a smartphone. The verifier holds a copy of the symmetric key.
Public-private key pair
A public-private key pair is used to perform public-key cryptography. The public key is known to (and trusted by) the verifier while the corresponding private key is bound securely to the authenticator. In the case of a dedicated hardware-based authenticator, the private key never leaves the confines of the authenticator.
Authenticator factors and forms
An authenticator is something unique or distinctive to a user (something that one has), is activated by either a PIN (something that one knows), or is a biometric ("something that is unique to oneself"). An authenticator that provides only one of these factors is called a single-factor authenticator whereas a multi-factor authenticator incorporates two or more factors. A multi-factor authenticator is one way to achieve multi-factor authentication. A combination of two or more single-factor authenticators is not a multi-factor authentication, yet may be suitable in certain conditions.
Authenticators may take a variety of physical forms (except for a memorized secret, which is intangible). One can, for example, hold an authenticator in one's hand or wear one on the face, wrist, or finger.
It is convenient to describe an authenticator in terms of its hardware and software components. An authenticator is hardware-based or software-based depending on whether the secret is stored in hardware or software, respectively.
An important type of hardware-based authenticator is called a security key, also called a security token (not to be confused with access tokens, session tokens, or other types of security tokens). A security key stores its secret in hardware, which prevents the secret from being exported. A security key is also resistant to malware since the secret is at no time accessible to software running on the host machine.
A software-based authenticator (sometimes called a software token) may be implemented on a general-purpose electronic device such as a laptop, a tablet computer, or a smartphone. For example, a software-based authenticator implemented as a mobile app on the claimant's smartphone is a type of phone-based authenticator. To prevent access to the secret, a software-based authenticator may use a processor's trusted execution environment or a Trusted Platform Module (TPM) on the client device.
A platform authenticator is built into a particular client device platform, that is, it is implemented on device. In contrast, a roaming authenticator is a cross-platform authenticator that is implemented off device. A roaming authenticator connects to a device platform via a transport protocol such as USB.
The following sections describe narrow classes of authenticators. For a more comprehensive classification, see the NIST Digital Identity Guidelines.
To use an authenticator, the claimant must explicitly indicate their intent to authenticate. For example, each of the following gestures is sufficient to establish intent:
- The claimant types a password into a password field, or
- The claimant places their finger on a fingerprint reader, or
- The claimant presses a button to indicate approval
The latter is called a test of user presence (TUP). To activate a single-factor authenticator (something that one has), the claimant may be required to perform a TUP, which avoids unintended operation of the authenticator.
A password is a secret that is intended to be memorized by the claimant and shared with the verifier. Password authentication is the process whereby the claimant demonstrates knowledge of the password by transmitting it over the network to the verifier. If the transmitted password agrees with the previously shared secret, user authentication is successful.
One-time passwords (OTPs) have been used since the 1980s. In 2004, an Open Authentication Reference Architecture for the secure generation of OTPs was announced at the annual RSA Conference. The Initiative for Open Authentication (OATH) launched a year later. Two IETF standards grew out of this work, the HMAC-based One-time Password (HOTP) algorithm and the Time-based One-time Password (TOTP) algorithm specified by RFC 4226 and RFC 6238, respectively. By OATH OTP, we mean either HOTP or TOTP. OATH certifies conformance with the HOTP and TOTP standards.
A traditional password (something that one knows) is often combined with a one-time password (something that one has) to provide two-factor authentication. Both the password and the OTP are transmitted over the network to the verifier. If the password agrees with the previously shared secret, and the verifier can confirm the value of the OTP, user authentication is successful.
One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.
A mobile push authenticator is essentially a native app running on the claimant's mobile phone. The app uses public-key cryptography to respond to push notifications. In other words, a mobile push authenticator is a single-factor cryptographic software authenticator. A mobile push authenticator (something that one has) is usually combined with a password (something that one knows) to provide two-factor authentication. Unlike one-time passwords, mobile push does not require a shared secret beyond the password.
After the claimant authenticates with a password, the verifier makes an out-of-band authentication request to a trusted third party that manages a public-key infrastructure on behalf of the verifier. The trusted third party sends a push notification to the claimant's mobile phone. The claimant demonstrates possession and control of the authenticator by pressing a button in the user interface, after which the authenticator responds with a digitally signed assertion. The trusted third party verifies the signature on the assertion and returns an authentication response to the verifier.
The proprietary mobile push authentication protocol runs on an out-of-band secondary channel, which provides flexible deployment options. Since the protocol requires an open network path to the claimant's mobile phone, if no such path is available (due to network issues, e.g.), the authentication process can not proceed.
A FIDO Universal 2nd Factor (U2F) authenticator (something that one has) is a single-factor cryptographic authenticator that is intended to be used in conjunction with an ordinary web password. Since the authenticator relies on public-key cryptography, U2F does not require an additional shared secret beyond the password.
To access a U2F authenticator, the claimant is required to perform a test of user presence (TUP), which helps prevent unauthorized access to the authenticator's functionality. In practice, a TUP consists of a simple button push.
To use a multi-factor authenticator, the claimant performs full user verification. The multi-factor authenticator (something that one has) is activated by a PIN (something that one knows), or a biometric (something that is unique to oneself"; e.g. fingerprint, face or voice recognition), or some other verification technique. ,
To withdraw cash from an automated teller machine (ATM), a bank customer inserts an ATM card into a cash machine and types a Personal Identification Number (PIN). The input PIN is compared to the PIN stored on the card's chip. If the two match, the ATM withdrawal can proceed.
Note that an ATM withdrawal involves a memorized secret (i.e., a PIN) but the true value of the secret is not known to the ATM in advance. The machine blindly passes the input PIN to the card, which compares the customer's input to the secret PIN stored on the card's chip. If the two match, the card reports success to the ATM and the transaction continues.
An ATM card is an example of a multi-factor authenticator. The card itself is something that one has while the PIN stored on the card's chip is presumably something that one knows. Presenting the card to the ATM and demonstrating knowledge of the PIN is a kind of multi-factor authentication.
Secure Shell (SSH) is a client-server protocol that uses public-key cryptography to create a secure channel over the network. In contrast to a traditional password, an SSH key is a cryptographic authenticator. The primary authenticator secret is the SSH private key, which is used by the client to digitally sign a message. The corresponding public key is used by the server to verify the message signature, which confirms that the claimant has possession and control of the private key.
To avoid theft, the SSH private key (something that one has) may be encrypted using a passphrase (something that one knows). To initiate a two-factor authentication process, the claimant supplies the passphrase to the client system.
Like a password, the SSH passphrase is a memorized secret but that is where the similarity ends. Whereas a password is a shared secret that is transmitted over the network, the SSH passphrase is not shared, and moreover, use of the passphrase is strictly confined to the client system. Authentication via SSH is an example of passwordless authentication since it avoids the transmission of a shared secret over the network. In fact, SSH authentication does not require a shared secret at all.
The FIDO U2F protocol standard became the starting point for the FIDO2 Project, a joint effort between the World Wide Web Consortium (W3C) and the FIDO Alliance. Project deliverables include the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol (CTAP). Together WebAuthn and CTAP provide a strong authentication solution for the web.
A FIDO2 authenticator may be used in either single-factor mode or multi-factor mode. In single-factor mode, the authenticator is activated by a simple test of user presence (e.g., a button push). In multi-factor mode, the authenticator (something that one has) is activated by either a PIN (something that one knows) or a biometric ("something that is unique to oneself").
First and foremost, strong authentication begins with multi-factor authentication. The best thing one can do to protect a personal online account is to enable multi-factor authentication. There are two ways to achieve multi-factor authentication:
- Use a multi-factor authenticator
- Use a combination of two or more single-factor authenticators
In practice, a common approach is to combine a password authenticator (something that one knows) with some other authenticator (something that one has) such as a cryptographic authenticator.
Generally speaking, a cryptographic authenticator is preferred over an authenticator that does not use cryptographic methods. All else being equal, a cryptographic authenticator that uses public-key cryptography is better than one that uses symmetric-key cryptography since the latter requires shared keys (which may be stolen or misused).
Again all else being equal, a hardware-based authenticator is better than a software-based authenticator since the authenticator secret is presumably better protected in hardware. This preference is reflected in the NIST requirements outlined in the next section.
NIST authenticator assurance levels
NIST defines three levels of assurance with respect to authenticators. The highest authenticator assurance level (AAL3) requires multi-factor authentication using either a multi-factor authenticator or an appropriate combination of single-factor authenticators. At AAL3, at least one of the authenticators must be a cryptographic hardware-based authenticator. Given these basic requirements, possible authenticator combinations used at AAL3 include:
- A multi-factor cryptographic hardware-based authenticator
- A single-factor cryptographic hardware-based authenticator used in conjunction with some other authenticator (such as a password authenticator)
See the NIST Digital Identity Guidelines for further discussion of authenticator assurance levels.
Like authenticator assurance levels, the notion of a restricted authenticator is a NIST concept. The term refers to an authenticator with a demonstrated inability to resist attacks, which puts the reliability of the authenticator in doubt. Federal agencies mitigate the use a restricted authenticator by offering subscribers an alternative authenticator that is not restricted and by developing a migration plan in the event that a restricted authenticator is prohibited from use at some point in the future.
Currently, the use of the public switched telephone network is restricted by NIST. In particular, the out-of-band transmission of one-time passwords (OTPs) via recorded voice messages or SMS messages is restricted. Moreover, if an agency chooses to use voice- or SMS-based OTPs, that agency must verify that the OTP is being transmitted to a phone and not an IP address since Voice over IP (VoIP) accounts are not routinely protected with multi-factor authentication.
It is convenient to use passwords as a basis for comparison since it is widely understood how to use a password. On computer systems, passwords have been used since at least the early 1960s. More generally, passwords have been used since ancient times.
In 2012, Bonneau et al. evaluated two decades of proposals to replace passwords by systematically comparing web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. (The cited technical report is an extended version of the peer-reviewed paper by the same name.) They found that most schemes do better than passwords on security while every scheme does worse than passwords on deployability. In terms of usability, some schemes do better and some schemes do worse than passwords.
Google used the evaluation framework of Bonneau et al. to compare security keys to passwords and one-time passwords. They concluded that security keys are more usable and deployable than one-time passwords, and more secure than both passwords and one-time passwords.
- "National Information Assurance (IA) Glossary" (PDF). Committee on National Security Systems. 26 April 2010. Retrieved 31 March 2019.
- "Glossary of Telecommunication Terms". Institute for Telecommunication Sciences. 7 August 1996. Retrieved 31 March 2019.
- Grassi, Paul A.; Garcia, Michael E.; Fenton, James L. (June 2017). "NIST Special Publication 800-63-3: Digital Identity Guidelines". National Institute of Standards and Technology (NIST). doi:10.6028/NIST.SP.800-63-3. Retrieved 5 February 2019. Cite journal requires
- Lindemann, Rolf, ed. (11 April 2017). "FIDO Technical Glossary". FIDO Alliance. Retrieved 26 March 2019.
- Bianchi, Andrea; Oakley, Ian (2016). "Wearable authentication: Trends and opportunities" (PDF). It - Information Technology. 58 (5). doi:10.1515/itit-2016-0010. S2CID 12772550.
- Stein, Scott (26 July 2018). "Why can't Wear OS smartwatches be security keys too?". CNET. Retrieved 31 March 2019.
- Williams, Brett (27 June 2017). "This smart ring gives you instant mobile payments with beefed up security". Mashable. Retrieved 31 March 2019.
- "Case Study: Google Security Keys Work". FIDO Alliance. 7 December 2016. Retrieved 26 March 2019.
- Grassi, Paul A.; Fenton, James L.; Newton, Elaine M.; Perlner, Ray A.; Regenscheid, Andrew R.; Burr, William E.; Richer, Justin P. (2017). "NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management". National Institute of Standards and Technology (NIST). doi:10.6028/NIST.SP.800-63b. Retrieved 5 February 2019. Cite journal requires
- Kucan, Berislav (24 February 2004). "Open Authentication Reference Architecture Announced". Help Net Security. Retrieved 26 March 2019.
- "OATH Specifications and Technical Resources". Initiative for Open Authentication. Retrieved 26 March 2019.
- "OATH Certification". The Initiative for Open Authentication (OATH). Retrieved 3 February 2019.
- Hoffman-Andrews, Jacob; Gebhart, Gennie (22 September 2017). "A Guide to Common Types of Two-Factor Authentication on the Web". Electronic Frontier Foundation. Retrieved 26 March 2019.
- "Google Authenticator". Retrieved 3 February 2019.
- Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (30 January 2019). "Client to Authenticator Protocol (CTAP)". FIDO Alliance. Retrieved 22 March 2019.
- "FIDO2: Moving the World Beyond Passwords". FIDO Alliance. Retrieved 30 January 2019.
- Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1". World Wide Web Consortium (W3C). Retrieved 30 January 2019.
- Simons, Alex (November 20, 2018). "Secure password-less sign-in for your Microsoft account using a security key or Windows Hello". Microsoft. Retrieved 6 March 2019.
- "Android Now FIDO2 Certified, Accelerating Global Migration Beyond Passwords". BARCELONA: FIDO Alliance. February 25, 2019. Retrieved 6 March 2019.
- "Two-factor authentication (2FA); new guidance from the NCSC". National Cyber Security Centre (NCSC). 8 Aug 2018.
- Hunt, Troy (5 November 2018). "Here's Why [Insert Thing Here] Is Not a Password Killer". Retrieved 24 March 2019.
- McMillan, Robert (27 January 2012). "The World's First Computer Password? It Was Useless Too". Wired magazine. Retrieved 22 March 2019.
- Hunt, Troy (26 July 2017). "Passwords Evolved: Authentication Guidance for the Modern Era". Retrieved 22 March 2019.
- Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes". Technical Report - University of Cambridge. Computer Laboratory. Cambridge, UK: University of Cambridge Computer Laboratory. ISSN 1476-2986. Retrieved 22 March 2019.
- Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. 2012 IEEE Symposium on Security and Privacy. San Francisco, CA. pp. 553–567. doi:10.1109/SP.2012.44.
- Lang, Juan; Czeskis, Alexei; Balfanz, Dirk; Schilder, Marius; Srinivas, Sampath (2016). "Security Keys: Practical Cryptographic Second Factors for the Modern Web" (PDF). Financial Cryptography and Data Security 2016. Retrieved 26 March 2019.