Editing Authenticator (section)

===Single-factor authenticators===

To use an authenticator, the claimant must explicitly indicate their intent to authenticate. For example, each of the following gestures is sufficient to establish intent:

* The claimant types a password into a password field, or
* The claimant places their finger on a fingerprint reader, or
* The claimant presses a button to indicate approval

The latter is called a test of user presence (TUP). To activate a single-factor authenticator (''something that one has''), the claimant may be required to perform a TUP, which avoids unintended operation of the authenticator.

A [[password]] is a secret that is intended to be memorized by the claimant and shared with the verifier. Password authentication is the process whereby the claimant demonstrates knowledge of the password by transmitting it over the network to the verifier. If the transmitted password agrees with the previously shared secret, user authentication is successful.

====OATH OTP====
[[File:Aegis Authenticator 3.2 screenshot.png|thumb|upright=1.1|Example of one-time passwords]]
One-time passwords (OTPs) have been used since the 1980s.{{citation needed|date=March 2019}} In 2004, an Open Authentication Reference Architecture for the secure generation of OTPs was announced at the annual [[RSA Conference]].<ref>{{cite web |last1=Kucan |first1=Berislav |title=Open Authentication Reference Architecture Announced |url=https://www.helpnetsecurity.com/2004/02/24/open-authentication-reference-architecture-announced/ |publisher=Help Net Security |access-date=26 March 2019 |date=24 February 2004}}</ref><ref>{{cite web |title=OATH Specifications and Technical Resources |url=https://openauthentication.org/specifications-technical-resources/ |publisher=[[Initiative for Open Authentication]] |access-date=26 March 2019}}</ref> The [[Initiative for Open Authentication]] (OATH) launched a year later.{{citation needed|date=March 2019}} Two IETF standards grew out of this work, the [[HMAC-based One-time Password algorithm|HMAC-based One-time Password (HOTP) algorithm]] and the [[Time-based One-time Password algorithm|Time-based One-time Password (TOTP) algorithm]] specified by RFC&nbsp;4226 and RFC&nbsp;6238, respectively. By OATH OTP, we mean either HOTP or TOTP. OATH certifies conformance with the HOTP and TOTP standards.<ref name="OATH-cert">{{cite web |title=OATH Certification |url=https://openauthentication.org/oath-certification/ |publisher=The [[Initiative for Open Authentication]] (OATH) |access-date=3 February 2019}}</ref>

A traditional password (''something that one knows'') is often combined with a one-time password (''something that one has'') to provide two-factor authentication.<ref name="Hoffman-Andrews and Gebhart 2017">{{cite web |last1=Hoffman-Andrews |first1=Jacob |last2=Gebhart |first2=Gennie |title=A Guide to Common Types of Two-Factor Authentication on the Web |url=https://www.eff.org/deeplinks/2017/09/guide-common-types-two-factor-authentication-web |publisher=[[Electronic Frontier Foundation]] |access-date=26 March 2019 |date=22 September 2017}}</ref> Both the password and the OTP are transmitted over the network to the verifier. If the password agrees with the previously shared secret, and the verifier can confirm the value of the OTP, user authentication is successful.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

A well-known example of an OATH authenticator is [[Google Authenticator]],<ref name="Google-Authenticator">{{cite web |title=Google Authenticator |website=[[GitHub]] |url=https://github.com/google/google-authenticator/wiki |access-date=3 February 2019}}</ref> a phone-based authenticator that implements both HOTP and TOTP.

====Mobile Push====

A mobile push authenticator is essentially a native app running on the claimant's mobile phone. The app uses public-key cryptography to respond to push notifications. In other words, a mobile push authenticator is a single-factor cryptographic software authenticator. A mobile push authenticator (''something that one has'') is usually combined with a password (''something that one knows'') to provide two-factor authentication. Unlike one-time passwords, mobile push does not require a shared secret beyond the password.

After the claimant authenticates with a password, the verifier makes an out-of-band authentication request to a trusted third party that manages a public-key infrastructure on behalf of the verifier. The trusted third party sends a push notification to the claimant's mobile phone. The claimant demonstrates possession and control of the authenticator by pressing a button in the user interface, after which the authenticator responds with a digitally signed assertion. The trusted third party verifies the signature on the assertion and returns an authentication response to the verifier.

The proprietary mobile push authentication protocol runs on an out-of-band secondary channel, which provides flexible deployment options. Since the protocol requires an open network path to the claimant's mobile phone, if no such path is available (due to network issues, e.g.), the authentication process can not proceed.<ref name="Hoffman-Andrews and Gebhart 2017" />

====FIDO U2F====

A [[FIDO Alliance|FIDO]] [[Universal 2nd Factor]] (U2F) authenticator (''something that one has'') is a single-factor cryptographic authenticator that is intended to be used in conjunction with an ordinary web password. Since the authenticator relies on public-key cryptography, U2F does not require an additional shared secret beyond the password.

To access a U2F authenticator, the claimant is required to perform a test of user presence (TUP), which helps prevent unauthorized access to the authenticator's functionality. In practice, a TUP consists of a simple button push.

A U2F authenticator interoperates with a conforming web [[user agent]] that implements the U2F JavaScript API.<ref>{{cite web |editor-last1=Balfanz |editor-first1=Dirk |editor-last2=Birgisson |editor-first2=Arnar |editor-last3=Lang |editor-first3=Juan |title=FIDO U2F JavaScript API |url=https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html |publisher=[[FIDO Alliance]] |access-date=22 March 2019 |date=11 April 2017}}</ref> A U2F authenticator necessarily implements the CTAP1/U2F protocol, one of the two protocols specified in the FIDO [[Client to Authenticator Protocol]].<ref name="FIDO-CTAP">{{cite web |editor-last1=Brand |editor-first1=Christiaan |editor-last2=Czeskis |editor-first2=Alexei |editor-last3=Ehrensvärd |editor-first3=Jakob |editor-last4=Jones |editor-first4=Michael B. |editor-last5=Kumar |editor-first5=Akshay |editor-last6=Lindemann |editor-first6=Rolf |editor-last7=Powers |editor-first7=Adam |editor-last8=Verrept |editor-first8=Johan |title=Client to Authenticator Protocol (CTAP) |url=https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html |publisher=[[FIDO Alliance]] |access-date=22 March 2019 |date=30 January 2019}}</ref>

Unlike mobile push authentication, the U2F authentication protocol runs entirely on the front channel. Two round trips are required. The first round trip is ordinary password authentication. After the claimant authenticates with a password, the verifier sends a challenge to a conforming browser, which communicates with the U2F authenticator via a custom JavaScript API. After the claimant performs the TUP, the authenticator signs the challenge and returns the signed assertion to the verifier via the browser.