A Platform Authenticator is an integrated component within a device that manages
cryptographic operations and securely stores credentials. It uses a device's inherent
features, like biometric sensors to authenticate users. Examples include Apple's Touch ID
and Face ID, Windows Hello, and
Android's biometric capabilities. Unlike
cross-platform (roaming) authenticators,
platform authenticators are device-specific, offering a
convenient and secure method for user authentication without the
need for external devices.
- Platform Authenticators are integrated directly into personal devices, utilizing
features like biometrics for secure authentication.
- They provide a
user-friendly authentication
experience without needing additional hardware.
- Examples include Touch ID, Face ID, Windows Hello, and
Android's biometric features.
Platform Authenticators represent a significant advancement in
digital security, merging convenience with robust security measures to protect user
identities and access. Here’s why they’re important in today’s digital ecosystem:
Security Features#
- Trusted Platform Module (TPM) / Secure Enclave / Trusted
Execution Environment (TEE): A critical component in platform
authenticators, TPM / Secure Enclaves / TEE securely
generates and stores cryptographic keys, ensuring the device alone can authenticate the
user. Which component is used depends on the operating system. Windows uses Trusted
Platform Modules (TPM), while iOS and macOS make use
of Secure Enclaves and Android uses Trusted
Execution Environments (TEE).
- Biometric Authentication: By leveraging
biometric data such as fingerprints or facial recognition, platform authenticators offer
a highly secure and personal method of verification.
Convenience and Accessibility#
- Seamless User Experience: Authentication occurs directly on the device, streamlining
the login process without compromising security (no additional device is needed).
- Widespread Adoption: Major tech platforms have integrated these platform
authenticators, making secure access more accessible across various services and
applications. Most people already unlock their personal devices with biometrics, so it’s
a common pattern that platform authenticators rely on.
While platform authenticators are tied to a specific device, cross-platform (roaming)
authenticators are portable, external devices used across multiple platforms. Here are
some key differences:
- Device Specificity: Platform authenticators can only authenticate the user on the
device they are integrated with, whereas roaming authenticators can be used with any
compatible device.
- User Experience: Platform authenticators provide a more integrated and often
smoother user experience, while roaming authenticators offer flexibility and
portability.
For developers and organizations, supporting platform authenticators involves:
- WebAuthn API Integration: Implementing the WebAuthn API allows websites and
applications to interact with the authenticator on the user's
device.
- Security Considerations: Ensuring that biometric data and cryptographic keys are
securely handled and stored within the device’s TPM /
Secure Enclave / TEE (this is usually handled by the
operating system and the respective APIs).
- No, platform authenticators are bound to a specific device, such as a smartphone or
laptop, and utilize that device's built-in security features, like biometric scanners,
for authentication. They cannot be transferred or used across multiple devices. However,
a credential can be synced and verified on different devices (e.g. you cannot use the
fingerprint from your macOS device on an iPhone with Face ID but the synced credential
you use for authentication might be the same).
- Platform authenticators are considered highly secure due to their use of a Trusted
Platform Module (TPM) / Secure Enclave / Trusted Execution
Environment (TEE) for key management and their integration with the device's hardware,
making the keys non-exportable and protected against phishing and
other cyber attacks. The use of biometrics or PINs for
user verification further enhances security.
- Most modern devices from major manufacturers like Apple, Microsoft, and Google support
platform authenticators through features like Touch ID, Face ID, or
Windows Hello. Check your device's security settings or
documentation to confirm support for these features.
- While biometrics like fingerprints or facial recognition provide a convenient and secure
method for user verification, they are not strictly
required for a platform authenticator to function.
Alternatives such as PINs or patterns can also be used, depending on the device's
capabilities.

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.
Start for free