Authenticator

A well-known example of a memorized secret is the common password, also called a passcode, a passphrase, or a personal identification number (PIN).

The name OATH is an acronym from the words "Open AuTHentication" while FIDO stands for Fast IDentity Online.

One can, for example, hold an authenticator in one's hand or wear one on the face, wrist, or finger.

An authenticator is hardware-based or software-based depending on whether the secret is stored in hardware or software, respectively.

A security key is also resistant to malware since the secret is at no time accessible to software running on the host machine.

A software-based authenticator (sometimes called a software token) may be implemented on a general-purpose electronic device such as a laptop, a tablet computer, or a smartphone.

A roaming authenticator connects to a device platform via a transport protocol such as USB.

For example, each of the following gestures is sufficient to establish intent: The latter is called a test of user presence (TUP).

If the transmitted password agrees with the previously shared secret, user authentication is successful.

[citation needed] In 2004, an Open Authentication Reference Architecture for the secure generation of OTPs was announced at the annual RSA Conference.

[citation needed] Two IETF standards grew out of this work, the HMAC-based One-time Password (HOTP) algorithm and the Time-based One-time Password (TOTP) algorithm specified by RFC 4226 and RFC 6238, respectively.

If the password agrees with the previously shared secret, and the verifier can confirm the value of the OTP, user authentication is successful.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier.

If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

The trusted third party sends a push notification to the claimant's mobile phone.

The proprietary mobile push authentication protocol runs on an out-of-band secondary channel, which provides flexible deployment options.

Since the authenticator relies on public-key cryptography, U2F does not require an additional shared secret beyond the password.

A U2F authenticator interoperates with a conforming web user agent that implements the U2F JavaScript API.

The multi-factor authenticator (something that one has) is activated by a PIN (something that one knows), or a biometric (something that is unique to oneself"; e.g. fingerprint, face or voice recognition), or some other verification technique.

[3] , To withdraw cash from an automated teller machine (ATM), a bank customer inserts an ATM card into a cash machine and types a Personal Identification Number (PIN).

Presenting the card to the ATM and demonstrating knowledge of the PIN is a kind of multi-factor authentication.

The primary authenticator secret is the SSH private key, which is used by the client to digitally sign a message.

To initiate a two-factor authentication process, the claimant supplies the passphrase to the client system.

For example, a FIDO2 authenticator that implements the CTAP2 protocol[16] is a roaming authenticator that communicates with a WebAuthn client via one or more of the following transport options: USB, near-field communication (NFC), or Bluetooth Low Energy (BLE).

Concrete examples of FIDO2 platform authenticators include Windows Hello[19] and the Android operating system.

In single-factor mode, the authenticator is activated by a simple test of user presence (e.g., a button push).

In multi-factor mode, the authenticator (something that one has) is activated by either a PIN (something that one knows) or a biometric ("something that is unique to oneself").

The best thing one can do to protect a personal online account is to enable multi-factor authentication.

Moreover, if an agency chooses to use voice- or SMS-based OTPs, that agency must verify that the OTP is being transmitted to a phone and not an IP address since Voice over IP (VoIP) accounts are not routinely protected with multi-factor authentication.

[25] In 2012, Bonneau et al. evaluated two decades of proposals to replace passwords by systematically comparing web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security.