Editing Authenticator (section)

==Security code==
First and foremost, strong authentication begins with [[multi-factor authentication]]. The best thing one can do to protect a personal online account is to enable multi-factor authentication.<ref name="Hoffman-Andrews and Gebhart 2017" /><ref name="NCSC 2FA">{{cite web |title=Two-factor authentication (2FA); new guidance from the NCSC |url=https://www.ncsc.gov.uk/blog-post/two-factor-authentication-2fa-new-guidance-ncsc |publisher=[[National Cyber Security Centre (United Kingdom)|National Cyber Security Centre]] (NCSC) |date=8 Aug 2018}}</ref> There are two ways to achieve multi-factor authentication:

# Use a multi-factor authenticator
# Use a combination of two or more single-factor authenticators

In practice, a common approach is to combine a password authenticator (''something that one knows'') with some other authenticator (''something that one has'') such as a cryptographic authenticator.

Generally speaking, a [[#Cryptographic key|cryptographic authenticator]] is preferred over an authenticator that does not use cryptographic methods. All else being equal, a cryptographic authenticator that uses public-key cryptography is better than one that uses symmetric-key cryptography since the latter requires shared keys (which may be stolen or misused).

Again all else being equal, a hardware-based authenticator is better than a software-based authenticator since the authenticator secret is presumably better protected in hardware. This preference is reflected in the NIST requirements outlined in the next section.

===NIST authenticator assurance levels===

NIST defines three levels of assurance with respect to authenticators. The highest authenticator assurance level (AAL3) requires multi-factor authentication using either a multi-factor authenticator or an appropriate combination of single-factor authenticators. At AAL3, at least one of the authenticators must be a cryptographic hardware-based authenticator. Given these basic requirements, possible authenticator combinations used at AAL3 include:

# A multi-factor cryptographic hardware-based authenticator
# A single-factor cryptographic hardware-based authenticator used in conjunction with some other authenticator (such as a password authenticator)

See the NIST Digital Identity Guidelines for further discussion of authenticator assurance levels.<ref name="NIST-SP-800-63B" />

===Restricted authenticators===

Like authenticator assurance levels, the notion of a restricted authenticator is a NIST concept.<ref name="NIST-SP-800-63-3" /> The term refers to an authenticator with a demonstrated inability to resist attacks, which puts the reliability of the authenticator in doubt. Federal agencies mitigate the use a restricted authenticator by offering subscribers an alternative authenticator that is not restricted and by developing a migration plan in the event that a restricted authenticator is prohibited from use at some point in the future.

Currently, the use of the [[public switched telephone network]] is restricted by NIST. In particular, the out-of-band transmission of one-time passwords (OTPs) via recorded voice messages or [[SMS]] messages is restricted. Moreover, if an agency chooses to use voice- or SMS-based OTPs, that agency must verify that the OTP is being transmitted to a phone and not an IP address since [[Voice over IP]] (VoIP) accounts are not routinely protected with multi-factor authentication.<ref name="NIST-SP-800-63B" />