Editing Authenticator (section)

===Multi-factor authenticators===

To use a multi-factor authenticator, the claimant performs full user verification. The multi-factor authenticator (''something that one has'') is activated by a [[Personal identification number|PIN]] (''something that one knows''), or a [[Biometrics|biometric]] (''something that is unique to oneself"; e.g. fingerprint, face or voice recognition''), or some other verification technique.<ref name="NIST-SP-800-63-3" />
,
====ATM card====

To withdraw cash from an [[automated teller machine]] (ATM), a bank customer inserts an ATM card into a cash machine and types a Personal Identification Number (PIN). The input PIN is compared to the PIN stored on the card's chip. If the two match, the ATM withdrawal can proceed.

Note that an ATM withdrawal involves a memorized secret (i.e., a PIN) but the true value of the secret is not known to the ATM in advance. The machine blindly passes the input PIN to the card, which compares the customer's input to the secret PIN stored on the card's chip. If the two match, the card reports success to the ATM and the transaction continues.

An ATM card is an example of a multi-factor authenticator. The card itself is ''something that one has'' while the PIN stored on the card's chip is presumably ''something that one knows''. Presenting the card to the ATM and demonstrating knowledge of the PIN is a kind of multi-factor authentication.

====Secure Shell====

[[Secure Shell]] (SSH) is a client-server protocol that uses public-key cryptography to create a secure channel over the network. In contrast to a traditional password, an SSH key is a cryptographic authenticator. The primary authenticator secret is the SSH private key, which is used by the client to digitally sign a message. The corresponding public key is used by the server to verify the message signature, which confirms that the claimant has possession and control of the private key.

To avoid theft, the SSH private key (''something that one has'') may be encrypted using a [[passphrase]] (''something that one  knows''). To initiate a two-factor authentication process, the claimant supplies the passphrase to the client system.

Like a password, the SSH passphrase is a memorized secret but that is where the similarity ends. Whereas a password is a shared secret that is transmitted over the network, the SSH passphrase is not shared, and moreover, use of the passphrase is strictly confined to the client system. Authentication via SSH is an example of [[passwordless authentication]] since it avoids the transmission of a shared secret over the network. In fact, SSH authentication does not require a shared secret at all.

====FIDO2====
[[File:Bitwarden Passkey window screenshot.png|thumb|upright=1.2|Example of WebAuthn ([[Pixiv]] with [[Bitwarden]])]]
The FIDO U2F protocol standard became the starting point for the [[FIDO2 Project]], a joint effort between the World Wide Web Consortium (W3C) and the FIDO Alliance. Project deliverables include the W3C Web Authentication ([[WebAuthn]]) standard and the FIDO [[Client to Authenticator Protocol]] (CTAP).<ref name="FIDO-FIDO2">{{cite web |title=FIDO2: Moving the World Beyond Passwords |url=https://fidoalliance.org/fido2/ |publisher=FIDO Alliance |access-date=30 January 2019}}</ref> Together WebAuthn and CTAP provide a strong authentication solution for the web.

A FIDO2 authenticator, also called a WebAuthn authenticator, uses public-key cryptography to interoperate with a WebAuthn client, that is, a conforming web [[user agent]] that implements the WebAuthn [[JavaScript]] API.<ref name="W3C-WebAuthn">{{cite web |editor1-last=Balfanz |editor1-first=Dirk |editor2-last=Czeskis |editor2-first=Alexei |editor3-last=Hodges |editor3-first=Jeff |editor4-last=Jones |editor4-first=J.C. |editor5-last=Jones |editor5-first=Michael B. |editor6-last=Kumar |editor6-first=Akshay |editor7-last=Liao |editor7-first=Angelo |editor8-last=Lindemann |editor8-first=Rolf |editor9-last=Lundberg |editor9-first=Emil |title=Web Authentication: An API for accessing Public Key Credentials Level&nbsp;1 |url=https://www.w3.org/TR/webauthn/ |publisher=World Wide Web Consortium (W3C) |access-date=30 January 2019}}</ref> The authenticator may be a platform authenticator, a roaming authenticator, or some combination of the two. For example, a FIDO2 authenticator that implements the CTAP2 protocol<ref name="FIDO-CTAP" /> is a roaming authenticator that communicates with a WebAuthn client via one or more of the following transport options: [[USB]], [[near-field communication]] (NFC), or [[Bluetooth Low Energy]] (BLE). Concrete examples of FIDO2 platform authenticators include Windows Hello<ref>{{cite web |last1=Simons |first1=Alex |title=Secure password-less sign-in for your Microsoft account using a security key or Windows Hello |url=https://www.microsoft.com/en-us/microsoft-365/blog/2018/11/20/sign-in-to-your-microsoft-account-without-a-password-using-windows-hello-or-a-security-key/ |publisher=[[Microsoft]] |access-date=6 March 2019 |date=November 20, 2018}}</ref> and the [[Android operating system]].<ref>{{cite web |title=Android Now FIDO2 Certified, Accelerating Global Migration Beyond Passwords |url=https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/ |publisher=[[FIDO Alliance]] |access-date=6 March 2019 |location=BARCELONA |date=February 25, 2019}}</ref>

A FIDO2 authenticator may be used in either single-factor mode or multi-factor mode. In single-factor mode, the authenticator is activated by a simple test of user presence (e.g., a button push). In multi-factor mode, the authenticator (''something that one has'') is activated by either a [[Personal identification number|PIN]] (''something that one knows'') or a [[Biometrics|biometric]] ("something that is unique to oneself").