Editing Authenticator (section)

===Authenticator factors and forms===

An authenticator is something unique or distinctive to a user (''something that one has''), is activated by either a [[Personal identification number|PIN]] (''something that one knows''), or is a [[Biometrics|biometric]] ("something that is unique to oneself"). An authenticator that provides only one of these factors is called a single-factor authenticator whereas a multi-factor authenticator incorporates two or more factors. A multi-factor authenticator is one way to achieve [[multi-factor authentication]]. A combination of two or more single-factor authenticators is not a multi-factor authentication, yet may be suitable in certain conditions.

Authenticators may take a variety of physical forms (except for a memorized secret, which is intangible). One can, for example, hold an authenticator in one's hand or wear one on the face, wrist, or finger.<ref>{{cite journal |last1=Bianchi |first1=Andrea |last2=Oakley |first2=Ian |title=Wearable authentication: Trends and opportunities |journal=It - Information Technology |date=2016 |volume=58 |issue=5 |pages=255–262 |doi=10.1515/itit-2016-0010 |s2cid=12772550 |url=http://alsoplantsfly.com/files/2016/Bianchi_WearableAuthentication_itit16.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://alsoplantsfly.com/files/2016/Bianchi_WearableAuthentication_itit16.pdf |archive-date=2022-10-09 |url-status=live}}</ref><ref>{{cite web |last1=Stein |first1=Scott |title=Why can't Wear OS smartwatches be security keys too? |url=https://www.cnet.com/news/why-cant-wear-os-smartwatches-be-security-keys-too/ |website=CNET |access-date=31 March 2019 |date=26 July 2018}}</ref><ref>{{cite web |last1=Williams |first1=Brett |title=This smart ring gives you instant mobile payments with beefed up security |url=https://mashable.com/2017/06/27/token-wearable-ring-authenticator/ |publisher=Mashable |access-date=31 March 2019 |date=27 June 2017}}</ref>

It is convenient to describe an authenticator in terms of its hardware and software components. An authenticator is hardware-based or software-based depending on whether the secret is stored in hardware or software, respectively.

An important type of hardware-based authenticator is called a security key,<ref>{{cite web |title=Case Study: Google Security Keys Work |url=https://fidoalliance.org/case-study-series-google-security-keys-work/ |publisher=[[FIDO Alliance]] |access-date=26 March 2019 |date=7 December 2016}}</ref> also called a [[security token]] (not to be confused with [[access token]]s, [[session token]]s, or other types of security tokens). A security key stores its secret in hardware, which prevents the secret from being exported. A security key is also resistant to malware since the secret is at no time accessible to software running on the host machine.

A software-based authenticator (sometimes called a [[software token]]) may be implemented on a general-purpose electronic device such as a [[laptop]], a [[tablet computer]], or a [[smartphone]]. For example, a software-based authenticator implemented as a [[mobile app]] on the claimant's smartphone is a type of phone-based authenticator. To prevent access to the secret, a software-based authenticator may use a processor's [[trusted execution environment]] or a [[Trusted Platform Module]] (TPM) on the client device.

A platform authenticator is built into a particular client device platform, that is, it is implemented on device. In contrast, a roaming authenticator is a cross-platform authenticator that is implemented off device. A roaming authenticator connects to a device platform via a transport protocol such as [[USB]].