Editing Authenticator (section)

====Cryptographic key====

A cryptographic authenticator is one that uses a [[Key (cryptography)|cryptographic key]]. Depending on the key material, a cryptographic authenticator may use [[Cryptography#Symmetric-key cryptography|symmetric-key cryptography]] or [[Cryptography#Public-key cryptography|public-key cryptography]]. Both avoid memorized secrets, and in the case of public-key cryptography, there are no [[shared secret]]s as well, which is an important distinction.

Examples of cryptographic authenticators include [[Initiative for Open Authentication|OATH]] authenticators and [[FIDO Alliance|FIDO]] authenticators. The name OATH is an acronym from the words "Open AuTHentication" while FIDO stands for Fast IDentity Online. Both are the results of an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. 

By way of counterexample, a password authenticator is '''not''' a cryptographic authenticator. See the [[#Examples]] section for details.

=====Symmetric key=====

A symmetric key is a shared secret used to perform symmetric-key cryptography. The claimant stores their copy of the shared key in a dedicated hardware-based authenticator or a software-based authenticator implemented on a smartphone. The verifier holds a copy of the symmetric key.

=====Public-private key pair=====

A public-private key pair is used to perform public-key cryptography. The public key is known to (and trusted by) the verifier while the corresponding private key is bound securely to the authenticator. In the case of a dedicated hardware-based authenticator, the private key never leaves the confines of the authenticator.