Authenticator

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

Using the terminology of the NIST Digital Identity Guidelines, the party to be authenticated is called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates possession and control of one or more authenticators to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Classification
Authenticators may be characterized in terms of secrets, factors, and physical forms.

Authenticator secrets
Every authenticator is associated with at least one secret that the claimant uses to demonstrate possession and control of the authenticator. Since an attacker could use this secret to impersonate the user, an authenticator secret must be protected from theft or loss.

The type of secret is an important characteristic of the authenticator. There are three basic types of authenticator secret: a memorized secret and two types of cryptographic keys, either a symmetric key or a private key.

Memorized secret
A memorized secret is intended to be memorized by the user. A well-known example of a memorized secret is the common password, also called a passcode, a passphrase, or a personal identification number (PIN).

An authenticator secret known to both the claimant and the verifier is called a shared secret. For example, a memorized secret may or may not be shared. A symmetric key is shared by definition. A private key is not shared.

An important type of secret that is both memorized and shared is the password. In the special case of a password, the authenticator is the secret.

Cryptographic key
A cryptographic authenticator is one that uses a cryptographic key. Depending on the key material, a cryptographic authenticator may use symmetric-key cryptography or public-key cryptography. Both avoid memorized secrets, and in the case of public-key cryptography, there are no shared secrets as well, which is an important distinction.

Examples of cryptographic authenticators include OATH authenticators and FIDO authenticators. The name OATH is an acronym from the words "Open AuTHentication" while FIDO stands for Fast IDentity Online. Both are the results of an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication.

By way of counterexample, a password authenticator is not a cryptographic authenticator. See the section for details.

Symmetric key
A symmetric key is a shared secret used to perform symmetric-key cryptography. The claimant stores their copy of the shared key in a dedicated hardware-based authenticator or a software-based authenticator implemented on a smartphone. The verifier holds a copy of the symmetric key.

Public-private key pair
A public-private key pair is used to perform public-key cryptography. The public key is known to (and trusted by) the verifier while the corresponding private key is bound securely to the authenticator. In the case of a dedicated hardware-based authenticator, the private key never leaves the confines of the authenticator.

Authenticator factors and forms
An authenticator is something unique or distinctive to a user (something that one has), is activated by either a PIN (something that one knows), or is a biometric ("something that is unique to oneself"). An authenticator that provides only one of these factors is called a single-factor authenticator whereas a multi-factor authenticator incorporates two or more factors. A multi-factor authenticator is one way to achieve multi-factor authentication. A combination of two or more single-factor authenticators is not a multi-factor authentication, yet may be suitable in certain conditions.

Authenticators may take a variety of physical forms (except for a memorized secret, which is intangible). One can, for example, hold an authenticator in one's hand or wear one on the face, wrist, or finger.

It is convenient to describe an authenticator in terms of its hardware and software components. An authenticator is hardware-based or software-based depending on whether the secret is stored in hardware or software, respectively.

An important type of hardware-based authenticator is called a security key, also called a security token (not to be confused with access tokens, session tokens, or other types of security tokens). A security key stores its secret in hardware, which prevents the secret from being exported. A security key is also resistant to malware since the secret is at no time accessible to software running on the host machine.

A software-based authenticator (sometimes called a software token) may be implemented on a general-purpose electronic device such as a laptop, a tablet computer, or a smartphone. For example, a software-based authenticator implemented as a mobile app on the claimant's smartphone is a type of phone-based authenticator. To prevent access to the secret, a software-based authenticator may use a processor's trusted execution environment or a Trusted Platform Module (TPM) on the client device.

A platform authenticator is built into a particular client device platform, that is, it is implemented on device. In contrast, a roaming authenticator is a cross-platform authenticator that is implemented off device. A roaming authenticator connects to a device platform via a transport protocol such as USB.

Examples
The following sections describe narrow classes of authenticators. For a more comprehensive classification, see the NIST Digital Identity Guidelines.

Single-factor authenticators
To use an authenticator, the claimant must explicitly indicate their intent to authenticate. For example, each of the following gestures is sufficient to establish intent:


 * The claimant types a password into a password field, or
 * The claimant places their finger on a fingerprint reader, or
 * The claimant presses a button to indicate approval

The latter is called a test of user presence (TUP). To activate a single-factor authenticator (something that one has), the claimant may be required to perform a TUP, which avoids unintended operation of the authenticator.

A password is a secret that is intended to be memorized by the claimant and shared with the verifier. Password authentication is the process whereby the claimant demonstrates knowledge of the password by transmitting it over the network to the verifier. If the transmitted password agrees with the previously shared secret, user authentication is successful.

OATH OTP
One-time passwords (OTPs) have been used since the 1980s. In 2004, an Open Authentication Reference Architecture for the secure generation of OTPs was announced at the annual RSA Conference. The Initiative for Open Authentication (OATH) launched a year later. Two IETF standards grew out of this work, the HMAC-based One-time Password (HOTP) algorithm and the Time-based One-time Password (TOTP) algorithm specified by RFC 4226 and RFC 6238, respectively. By OATH OTP, we mean either HOTP or TOTP. OATH certifies conformance with the HOTP and TOTP standards.

A traditional password (something that one knows) is often combined with a one-time password (something that one has) to provide two-factor authentication. Both the password and the OTP are transmitted over the network to the verifier. If the password agrees with the previously shared secret, and the verifier can confirm the value of the OTP, user authentication is successful.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

A well-known example of an OATH authenticator is Google Authenticator, a phone-based authenticator that implements both HOTP and TOTP.

Mobile Push
A mobile push authenticator is essentially a native app running on the claimant's mobile phone. The app uses public-key cryptography to respond to push notifications. In other words, a mobile push authenticator is a single-factor cryptographic software authenticator. A mobile push authenticator (something that one has) is usually combined with a password (something that one knows) to provide two-factor authentication. Unlike one-time passwords, mobile push does not require a shared secret beyond the password.

After the claimant authenticates with a password, the verifier makes an out-of-band authentication request to a trusted third party that manages a public-key infrastructure on behalf of the verifier. The trusted third party sends a push notification to the claimant's mobile phone. The claimant demonstrates possession and control of the authenticator by pressing a button in the user interface, after which the authenticator responds with a digitally signed assertion. The trusted third party verifies the signature on the assertion and returns an authentication response to the verifier.

The proprietary mobile push authentication protocol runs on an out-of-band secondary channel, which provides flexible deployment options. Since the protocol requires an open network path to the claimant's mobile phone, if no such path is available (due to network issues, e.g.), the authentication process can not proceed.

FIDO U2F
A FIDO Universal 2nd Factor (U2F) authenticator (something that one has) is a single-factor cryptographic authenticator that is intended to be used in conjunction with an ordinary web password. Since the authenticator relies on public-key cryptography, U2F does not require an additional shared secret beyond the password.

To access a U2F authenticator, the claimant is required to perform a test of user presence (TUP), which helps prevent unauthorized access to the authenticator's functionality. In practice, a TUP consists of a simple button push.

A U2F authenticator interoperates with a conforming web user agent that implements the U2F JavaScript API. A U2F authenticator necessarily implements the CTAP1/U2F protocol, one of the two protocols specified in the FIDO Client to Authenticator Protocol.

Unlike mobile push authentication, the U2F authentication protocol runs entirely on the front channel. Two round trips are required. The first round trip is ordinary password authentication. After the claimant authenticates with a password, the verifier sends a challenge to a conforming browser, which communicates with the U2F authenticator via a custom JavaScript API. After the claimant performs the TUP, the authenticator signs the challenge and returns the signed assertion to the verifier via the browser.

Multi-factor authenticators
To use a multi-factor authenticator, the claimant performs full user verification. The multi-factor authenticator (something that one has) is activated by a PIN (something that one knows), or a biometric (something that is unique to oneself"; e.g. fingerprint, face or voice recognition), or some other verification technique. ,

ATM card
To withdraw cash from an automated teller machine (ATM), a bank customer inserts an ATM card into a cash machine and types a Personal Identification Number (PIN). The input PIN is compared to the PIN stored on the card's chip. If the two match, the ATM withdrawal can proceed.

Note that an ATM withdrawal involves a memorized secret (i.e., a PIN) but the true value of the secret is not known to the ATM in advance. The machine blindly passes the input PIN to the card, which compares the customer's input to the secret PIN stored on the card's chip. If the two match, the card reports success to the ATM and the transaction continues.

An ATM card is an example of a multi-factor authenticator. The card itself is something that one has while the PIN stored on the card's chip is presumably something that one knows. Presenting the card to the ATM and demonstrating knowledge of the PIN is a kind of multi-factor authentication.

Secure Shell
Secure Shell (SSH) is a client-server protocol that uses public-key cryptography to create a secure channel over the network. In contrast to a traditional password, an SSH key is a cryptographic authenticator. The primary authenticator secret is the SSH private key, which is used by the client to digitally sign a message. The corresponding public key is used by the server to verify the message signature, which confirms that the claimant has possession and control of the private key.

To avoid theft, the SSH private key (something that one has) may be encrypted using a passphrase (something that one knows). To initiate a two-factor authentication process, the claimant supplies the passphrase to the client system.

Like a password, the SSH passphrase is a memorized secret but that is where the similarity ends. Whereas a password is a shared secret that is transmitted over the network, the SSH passphrase is not shared, and moreover, use of the passphrase is strictly confined to the client system. Authentication via SSH is an example of passwordless authentication since it avoids the transmission of a shared secret over the network. In fact, SSH authentication does not require a shared secret at all.

FIDO2
The FIDO U2F protocol standard became the starting point for the FIDO2 Project, a joint effort between the World Wide Web Consortium (W3C) and the FIDO Alliance. Project deliverables include the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol (CTAP). Together WebAuthn and CTAP provide a strong authentication solution for the web.

A FIDO2 authenticator, also called a WebAuthn authenticator, uses public-key cryptography to interoperate with a WebAuthn client, that is, a conforming web user agent that implements the WebAuthn JavaScript API. The authenticator may be a platform authenticator, a roaming authenticator, or some combination of the two. For example, a FIDO2 authenticator that implements the CTAP2 protocol is a roaming authenticator that communicates with a WebAuthn client via one or more of the following transport options: USB, near-field communication (NFC), or Bluetooth Low Energy (BLE). Concrete examples of FIDO2 platform authenticators include Windows Hello and the Android operating system.

A FIDO2 authenticator may be used in either single-factor mode or multi-factor mode. In single-factor mode, the authenticator is activated by a simple test of user presence (e.g., a button push). In multi-factor mode, the authenticator (something that one has) is activated by either a PIN (something that one knows) or a biometric ("something that is unique to oneself").

Security code
First and foremost, strong authentication begins with multi-factor authentication. The best thing one can do to protect a personal online account is to enable multi-factor authentication. There are two ways to achieve multi-factor authentication:


 * 1) Use a multi-factor authenticator
 * 2) Use a combination of two or more single-factor authenticators

In practice, a common approach is to combine a password authenticator (something that one knows) with some other authenticator (something that one has) such as a cryptographic authenticator.

Generally speaking, a cryptographic authenticator is preferred over an authenticator that does not use cryptographic methods. All else being equal, a cryptographic authenticator that uses public-key cryptography is better than one that uses symmetric-key cryptography since the latter requires shared keys (which may be stolen or misused).

Again all else being equal, a hardware-based authenticator is better than a software-based authenticator since the authenticator secret is presumably better protected in hardware. This preference is reflected in the NIST requirements outlined in the next section.

NIST authenticator assurance levels
NIST defines three levels of assurance with respect to authenticators. The highest authenticator assurance level (AAL3) requires multi-factor authentication using either a multi-factor authenticator or an appropriate combination of single-factor authenticators. At AAL3, at least one of the authenticators must be a cryptographic hardware-based authenticator. Given these basic requirements, possible authenticator combinations used at AAL3 include:


 * 1) A multi-factor cryptographic hardware-based authenticator
 * 2) A single-factor cryptographic hardware-based authenticator used in conjunction with some other authenticator (such as a password authenticator)

See the NIST Digital Identity Guidelines for further discussion of authenticator assurance levels.

Restricted authenticators
Like authenticator assurance levels, the notion of a restricted authenticator is a NIST concept. The term refers to an authenticator with a demonstrated inability to resist attacks, which puts the reliability of the authenticator in doubt. Federal agencies mitigate the use a restricted authenticator by offering subscribers an alternative authenticator that is not restricted and by developing a migration plan in the event that a restricted authenticator is prohibited from use at some point in the future.

Currently, the use of the public switched telephone network is restricted by NIST. In particular, the out-of-band transmission of one-time passwords (OTPs) via recorded voice messages or SMS messages is restricted. Moreover, if an agency chooses to use voice- or SMS-based OTPs, that agency must verify that the OTP is being transmitted to a phone and not an IP address since Voice over IP (VoIP) accounts are not routinely protected with multi-factor authentication.

Comparison
It is convenient to use passwords as a basis for comparison since it is widely understood how to use a password. On computer systems, passwords have been used since at least the early 1960s. More generally, passwords have been used since ancient times.

In 2012, Bonneau et al. evaluated two decades of proposals to replace passwords by systematically comparing web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. (The cited technical report is an extended version of the peer-reviewed paper by the same name. ) They found that most schemes do better than passwords on security while every scheme does worse than passwords on deployability. In terms of usability, some schemes do better and some schemes do worse than passwords.

Google used the evaluation framework of Bonneau et al. to compare security keys to passwords and one-time passwords. They concluded that security keys are more usable and deployable than one-time passwords, and more secure than both passwords and one-time passwords.