What is a Platform Authenticator in WebAuthn?
Learn about platform authenticators, a technical foundation for implementing user authentication with WebAuthn / passkeys.
What is a Platform Authenticator?#
A Platform Authenticator is an integrated component within a device that manages cryptographic operations and securely stores credentials. It uses a device's inherent features, like biometric sensors to authenticate users. Examples include Apple's Touch ID and Face ID, Windows Hello, and Android's biometric capabilities. Unlike cross-platform (roaming) authenticators, platform authenticators are device-specific, offering a convenient and secure method for user authentication without the need for external devices.
- Platform Authenticators are integrated directly into personal devices, utilizing features like biometrics for secure authentication.
- They provide a user-friendly authentication experience without needing additional hardware.
- Examples include Touch ID, Face ID, Windows Hello, and Android's biometric features.
Role and Benefits of Platform Authenticators#
Platform Authenticators represent a significant advancement in digital security, merging convenience with robust security measures to protect user identities and access. Here’s why they’re important in today’s digital ecosystem:
Security Features#
- Trusted Platform Module (TPM) / Secure Enclave / Trusted Execution Environment (TEE): A critical component in platform authenticators, TPM / Secure Enclaves / TEE securely generates and stores cryptographic keys, ensuring the device alone can authenticate the user. Which component is used depends on the operating system. Windows uses Trusted Platform Modules (TPM), while iOS and macOS make use of Secure Enclaves and Android uses Trusted Execution Environments (TEE).
- Biometric Authentication: By leveraging biometric data such as fingerprints or facial recognition, platform authenticators offer a highly secure and personal method of verification.
Convenience and Accessibility#
- Seamless User Experience: Authentication occurs directly on the device, streamlining the login process without compromising security (no additional device is needed).
- Widespread Adoption: Major tech platforms have integrated these platform authenticators, making secure access more accessible across various services and applications. Most people already unlock their personal devices with biometrics, so it’s a common pattern that platform authenticators rely on.
Platform Authenticators vs. Cross-Platform (Roaming) Authenticators#
While platform authenticators are tied to a specific device, cross-platform (roaming) authenticators are portable, external devices used across multiple platforms. Here are some key differences:
- Device Specificity: Platform authenticators can only authenticate the user on the device they are integrated with, whereas roaming authenticators can be used with any compatible device.
- User Experience: Platform authenticators provide a more integrated and often smoother user experience, while roaming authenticators offer flexibility and portability.
Implementing Platform Authenticators#
For developers and organizations, supporting platform authenticators involves:
- WebAuthn API Integration: Implementing the WebAuthn API allows websites and applications to interact with the authenticator on the user's device.
- Security Considerations: Ensuring that biometric data and cryptographic keys are securely handled and stored within the device’s TPM / Secure Enclave / TEE (this is usually handled by the operating system and the respective APIs).
Platform Authenticator FAQs#
Can a platform authenticator be used on multiple devices?#
- No, platform authenticators are bound to a specific device, such as a smartphone or laptop, and utilize that device's built-in security features, like biometric scanners, for authentication. They cannot be transferred or used across multiple devices. However, a credential can be synced and verified on different devices (e.g. you cannot use the fingerprint from your macOS device on an iPhone with Face ID but the synced credential you use for authentication might be the same).
What makes a platform authenticator secure?#
- Platform authenticators are considered highly secure due to their use of a Trusted Platform Module (TPM) / Secure Enclave / Trusted Execution Environment (TEE) for key management and their integration with the device's hardware, making the keys non-exportable and protected against phishing and other cyber attacks. The use of biometrics or PINs for user verification further enhances security.
How do I know if my device supports platform authenticator?#
- Most modern devices from major manufacturers like Apple, Microsoft, and Google support platform authenticators through features like Touch ID, Face ID, or Windows Hello. Check your device's security settings or documentation to confirm support for these features.
Is biometric data required for a platform authenticator to work?#
- While biometrics like fingerprints or facial recognition provide a convenient and secure method for user verification, they are not strictly required for a platform authenticator to function. Alternatives such as PINs or patterns can also be used, depending on the device's capabilities.
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Share this article
Table of Contents
Related Terms
Related Articles
