Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Authenticator
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Classification== Authenticators may be characterized in terms of secrets, factors, and physical forms. ===Authenticator secrets=== Every authenticator is associated with at least one secret that the claimant uses to demonstrate possession and control of the authenticator. Since an attacker could use this secret to impersonate the user, an authenticator secret must be protected from theft or loss. The type of secret is an important characteristic of the authenticator. There are three basic types of authenticator secret: a memorized secret and two types of cryptographic keys, either a symmetric key or a private key. ====Memorized secret==== A memorized secret is intended to be memorized by the user. A well-known example of a memorized secret is the common [[password]], also called a passcode, a [[passphrase]], or a [[personal identification number]] (PIN). An authenticator secret known to both the claimant and the verifier is called a [[shared secret]]. For example, a memorized secret may or may not be shared. A symmetric key is shared by definition. A private key is not shared. An important type of secret that is both memorized and shared is the password. In the special case of a password, the authenticator '''is''' the secret. ====Cryptographic key==== A cryptographic authenticator is one that uses a [[Key (cryptography)|cryptographic key]]. Depending on the key material, a cryptographic authenticator may use [[Cryptography#Symmetric-key cryptography|symmetric-key cryptography]] or [[Cryptography#Public-key cryptography|public-key cryptography]]. Both avoid memorized secrets, and in the case of public-key cryptography, there are no [[shared secret]]s as well, which is an important distinction. Examples of cryptographic authenticators include [[Initiative for Open Authentication|OATH]] authenticators and [[FIDO Alliance|FIDO]] authenticators. The name OATH is an acronym from the words "Open AuTHentication" while FIDO stands for Fast IDentity Online. Both are the results of an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. By way of counterexample, a password authenticator is '''not''' a cryptographic authenticator. See the [[#Examples]] section for details. =====Symmetric key===== A symmetric key is a shared secret used to perform symmetric-key cryptography. The claimant stores their copy of the shared key in a dedicated hardware-based authenticator or a software-based authenticator implemented on a smartphone. The verifier holds a copy of the symmetric key. =====Public-private key pair===== A public-private key pair is used to perform public-key cryptography. The public key is known to (and trusted by) the verifier while the corresponding private key is bound securely to the authenticator. In the case of a dedicated hardware-based authenticator, the private key never leaves the confines of the authenticator. ===Authenticator factors and forms=== An authenticator is something unique or distinctive to a user (''something that one has''), is activated by either a [[Personal identification number|PIN]] (''something that one knows''), or is a [[Biometrics|biometric]] ("something that is unique to oneself"). An authenticator that provides only one of these factors is called a single-factor authenticator whereas a multi-factor authenticator incorporates two or more factors. A multi-factor authenticator is one way to achieve [[multi-factor authentication]]. A combination of two or more single-factor authenticators is not a multi-factor authentication, yet may be suitable in certain conditions. Authenticators may take a variety of physical forms (except for a memorized secret, which is intangible). One can, for example, hold an authenticator in one's hand or wear one on the face, wrist, or finger.<ref>{{cite journal |last1=Bianchi |first1=Andrea |last2=Oakley |first2=Ian |title=Wearable authentication: Trends and opportunities |journal=It - Information Technology |date=2016 |volume=58 |issue=5 |pages=255β262 |doi=10.1515/itit-2016-0010 |s2cid=12772550 |url=http://alsoplantsfly.com/files/2016/Bianchi_WearableAuthentication_itit16.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://alsoplantsfly.com/files/2016/Bianchi_WearableAuthentication_itit16.pdf |archive-date=2022-10-09 |url-status=live}}</ref><ref>{{cite web |last1=Stein |first1=Scott |title=Why can't Wear OS smartwatches be security keys too? |url=https://www.cnet.com/news/why-cant-wear-os-smartwatches-be-security-keys-too/ |website=CNET |access-date=31 March 2019 |date=26 July 2018}}</ref><ref>{{cite web |last1=Williams |first1=Brett |title=This smart ring gives you instant mobile payments with beefed up security |url=https://mashable.com/2017/06/27/token-wearable-ring-authenticator/ |publisher=Mashable |access-date=31 March 2019 |date=27 June 2017}}</ref> It is convenient to describe an authenticator in terms of its hardware and software components. An authenticator is hardware-based or software-based depending on whether the secret is stored in hardware or software, respectively. An important type of hardware-based authenticator is called a security key,<ref>{{cite web |title=Case Study: Google Security Keys Work |url=https://fidoalliance.org/case-study-series-google-security-keys-work/ |publisher=[[FIDO Alliance]] |access-date=26 March 2019 |date=7 December 2016}}</ref> also called a [[security token]] (not to be confused with [[access token]]s, [[session token]]s, or other types of security tokens). A security key stores its secret in hardware, which prevents the secret from being exported. A security key is also resistant to malware since the secret is at no time accessible to software running on the host machine. A software-based authenticator (sometimes called a [[software token]]) may be implemented on a general-purpose electronic device such as a [[laptop]], a [[tablet computer]], or a [[smartphone]]. For example, a software-based authenticator implemented as a [[mobile app]] on the claimant's smartphone is a type of phone-based authenticator. To prevent access to the secret, a software-based authenticator may use a processor's [[trusted execution environment]] or a [[Trusted Platform Module]] (TPM) on the client device. A platform authenticator is built into a particular client device platform, that is, it is implemented on device. In contrast, a roaming authenticator is a cross-platform authenticator that is implemented off device. A roaming authenticator connects to a device platform via a transport protocol such as [[USB]].
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)