473:(SSH) is a client-server protocol that uses public-key cryptography to create a secure channel over the network. In contrast to a traditional password, an SSH key is a cryptographic authenticator. The primary authenticator secret is the SSH private key, which is used by the client to digitally sign a message. The corresponding public key is used by the server to verify the message signature, which confirms that the claimant has possession and control of the private key.
165:
A public-private key pair is used to perform public-key cryptography. The public key is known to (and trusted by) the verifier while the corresponding private key is bound securely to the authenticator. In the case of a dedicated hardware-based authenticator, the private key never leaves the confines
639:
Like authenticator assurance levels, the notion of a restricted authenticator is a NIST concept. The term refers to an authenticator with a demonstrated inability to resist attacks, which puts the reliability of the authenticator in doubt. Federal agencies mitigate the use a restricted authenticator
491:
Like a password, the SSH passphrase is a memorized secret but that is where the similarity ends. Whereas a password is a shared secret that is transmitted over the network, the SSH passphrase is not shared, and moreover, use of the passphrase is strictly confined to the client system. Authentication
450:
Note that an ATM withdrawal involves a memorized secret (i.e., a PIN) but the true value of the secret is not known to the ATM in advance. The machine blindly passes the input PIN to the card, which compares the customer's input to the secret PIN stored on the card's chip. If the two match, the card
251:
A platform authenticator is built into a particular client device platform, that is, it is implemented on device. In contrast, a roaming authenticator is a cross-platform authenticator that is implemented off device. A roaming authenticator connects to a device platform via a transport protocol such
667:
In 2012, Bonneau et al. evaluated two decades of proposals to replace passwords by systematically comparing web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. (The cited technical report is an extended version of the peer-reviewed paper by
368:
The proprietary mobile push authentication protocol runs on an out-of-band secondary channel, which provides flexible deployment options. Since the protocol requires an open network path to the claimant's mobile phone, if no such path is available (due to network issues, e.g.), the authentication
297:
is a secret that is intended to be memorized by the claimant and shared with the verifier. Password authentication is the process whereby the claimant demonstrates knowledge of the password by transmitting it over the network to the verifier. If the transmitted password agrees with the previously
406:
Unlike mobile push authentication, the U2F authentication protocol runs entirely on the front channel. Two round trips are required. The first round trip is ordinary password authentication. After the claimant authenticates with a password, the verifier sends a challenge to a conforming browser,
352:
A mobile push authenticator is essentially a native app running on the claimant's mobile phone. The app uses public-key cryptography to respond to push notifications. In other words, a mobile push authenticator is a single-factor cryptographic software authenticator. A mobile push authenticator
365:
demonstrates possession and control of the authenticator by pressing a button in the user interface, after which the authenticator responds with a digitally signed assertion. The trusted third party verifies the signature on the assertion and returns an authentication response to the verifier.
364:
After the claimant authenticates with a password, the verifier makes an out-of-band authentication request to a trusted third party that manages a public-key infrastructure on behalf of the verifier. The trusted third party sends a push notification to the claimant's mobile phone. The claimant
531:
API. The authenticator may be a platform authenticator, a roaming authenticator, or some combination of the two. For example, a FIDO2 authenticator that implements the CTAP2 protocol is a roaming authenticator that communicates with a WebAuthn client via one or more of the following transport
136:
authenticators. The name OATH is an acronym from the words "Open AuTHentication" while FIDO stands for Fast IDentity Online. Both are the results of an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication.
619:
NIST defines three levels of assurance with respect to authenticators. The highest authenticator assurance level (AAL3) requires multi-factor authentication using either a multi-factor authenticator or an appropriate combination of single-factor authenticators. At AAL3, at least one of the
606:
is preferred over an authenticator that does not use cryptographic methods. All else being equal, a cryptographic authenticator that uses public-key cryptography is better than one that uses symmetric-key cryptography since the latter requires shared keys (which may be stolen or misused).
336:
One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same
156:
A symmetric key is a shared secret used to perform symmetric-key cryptography. The claimant stores their copy of the shared key in a dedicated hardware-based authenticator or a software-based authenticator implemented on a smartphone. The verifier holds a copy of the symmetric key.
30:
is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common
62:
Every authenticator is associated with at least one secret that the claimant uses to demonstrate possession and control of the authenticator. Since an attacker could use this secret to impersonate the user, an authenticator secret must be protected from theft or loss.
675:
Google used the evaluation framework of
Bonneau et al. to compare security keys to passwords and one-time passwords. They concluded that security keys are more usable and deployable than one-time passwords, and more secure than both passwords and one-time passwords.
610:
Again all else being equal, a hardware-based authenticator is better than a software-based authenticator since the authenticator secret is presumably better protected in hardware. This preference is reflected in the NIST requirements outlined in the next section.
333:) to provide two-factor authentication. Both the password and the OTP are transmitted over the network to the verifier. If the password agrees with the previously shared secret, and the verifier can confirm the value of the OTP, user authentication is successful.
190:("something that is unique to oneself"). An authenticator that provides only one of these factors is called a single-factor authenticator whereas a multi-factor authenticator incorporates two or more factors. A multi-factor authenticator is one way to achieve
217:, or other types of security tokens). A security key stores its secret in hardware, which prevents the secret from being exported. A security key is also resistant to malware since the secret is at no time accessible to software running on the host machine.
663:
It is convenient to use passwords as a basis for comparison since it is widely understood how to use a password. On computer systems, passwords have been used since at least the early 1960s. More generally, passwords have been used since ancient times.
388:) is a single-factor cryptographic authenticator that is intended to be used in conjunction with an ordinary web password. Since the authenticator relies on public-key cryptography, U2F does not require an additional shared secret beyond the password.
551:
A FIDO2 authenticator may be used in either single-factor mode or multi-factor mode. In single-factor mode, the authenticator is activated by a simple test of user presence (e.g., a button push). In multi-factor mode, the authenticator
201:
It is convenient to describe an authenticator in terms of its hardware and software components. An authenticator is hardware-based or software-based depending on whether the secret is stored in hardware or software, respectively.
391:
To access a U2F authenticator, the claimant is required to perform a test of user presence (TUP), which helps prevent unauthorized access to the authenticator's functionality. In practice, a TUP consists of a simple button push.
447:(ATM), a bank customer inserts an ATM card into a cash machine and types a Personal Identification Number (PIN). The input PIN is compared to the PIN stored on the card's chip. If the two match, the ATM withdrawal can proceed.
66:
The type of secret is an important characteristic of the authenticator. There are three basic types of authenticator secret: a memorized secret and two types of cryptographic keys, either a symmetric key or a private key.
46:. When the claimant successfully demonstrates possession and control of one or more authenticators to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.
407:
which communicates with the U2F authenticator via a custom JavaScript API. After the claimant performs the TUP, the authenticator signs the challenge and returns the signed assertion to the verifier via the browser.
640:
by offering subscribers an alternative authenticator that is not restricted and by developing a migration plan in the event that a restricted authenticator is prohibited from use at some point in the future.
197:
Authenticators may take a variety of physical forms (except for a memorized secret, which is intangible). One can, for example, hold an authenticator in one's hand or wear one on the face, wrist, or finger.
1276:
651:
messages is restricted. Moreover, if an agency chooses to use voice- or SMS-based OTPs, that agency must verify that the OTP is being transmitted to a phone and not an IP address since
306:
One-time passwords (OTPs) have been used since the 1980s. In 2004, an Open
Authentication Reference Architecture for the secure generation of OTPs was announced at the annual
272:
To use an authenticator, the claimant must explicitly indicate their intent to authenticate. For example, each of the following gestures is sufficient to establish intent:
716:
580:. The best thing one can do to protect a personal online account is to enable multi-factor authentication. There are two ways to achieve multi-factor authentication:
1331:
322:
specified by RFC 4226 and RFC 6238, respectively. By OATH OTP, we mean either HOTP or TOTP. OATH certifies conformance with the HOTP and TOTP standards.
991:
779:
1204:
Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (30 January 2019).
620:
authenticators must be a cryptographic hardware-based authenticator. Given these basic requirements, possible authenticator combinations used at AAL3 include:
523:
A FIDO2 authenticator, also called a WebAuthn authenticator, uses public-key cryptography to interoperate with a WebAuthn client, that is, a conforming web
240:
on the claimant's smartphone is a type of phone-based authenticator. To prevent access to the secret, a software-based authenticator may use a processor's
889:
399:
that implements the U2F JavaScript API. A U2F authenticator necessarily implements the CTAP1/U2F protocol, one of the two protocols specified in the FIDO
264:
The following sections describe narrow classes of authenticators. For a more comprehensive classification, see the NIST Digital
Identity Guidelines.
745:
1252:
Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.).
1205:
712:
627:
A single-factor cryptographic hardware-based authenticator used in conjunction with some other authenticator (such as a password authenticator)
319:
315:
508:, a joint effort between the World Wide Web Consortium (W3C) and the FIDO Alliance. Project deliverables include the W3C Web Authentication (
194:. A combination of two or more single-factor authenticators is not a multi-factor authentication, yet may be suitable in certain conditions.
986:
Grassi, Paul A.; Fenton, James L.; Newton, Elaine M.; Perlner, Ray A.; Regenscheid, Andrew R.; Burr, William E.; Richer, Justin P. (2017).
672:
scheme does worse than passwords on deployability. In terms of usability, some schemes do better and some schemes do worse than passwords.
496:
since it avoids the transmission of a shared secret over the network. In fact, SSH authentication does not require a shared secret at all.
1176:
1301:
1095:
1070:
311:
129:
361:) to provide two-factor authentication. Unlike one-time passwords, mobile push does not require a shared secret beyond the password.
644:
97:
An important type of secret that is both memorized and shared is the password. In the special case of a password, the authenticator
1044:
94:. For example, a memorized secret may or may not be shared. A symmetric key is shared by definition. A private key is not shared.
513:
400:
832:
705:
647:
is restricted by NIST. In particular, the out-of-band transmission of one-time passwords (OTPs) via recorded voice messages or
1127:
557:
420:
179:
84:
337:
cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.
1534:
241:
1396:
1123:
577:
493:
191:
75:
A memorized secret is intended to be memorized by the user. A well-known example of a memorized secret is the common
1327:
415:
To use a multi-factor authenticator, the claimant performs full user verification. The multi-factor authenticator (
462:. Presenting the card to the ATM and demonstrating knowledge of the PIN is a kind of multi-factor authentication.
1346:
685:
907:
858:
545:
537:
488:). To initiate a two-factor authentication process, the claimant supplies the passphrase to the client system.
444:
1565:
245:
38:
Using the terminology of the NIST Digital
Identity Guidelines, the party to be authenticated is called the
1498:
290:), the claimant may be required to perform a TUP, which avoids unintended operation of the authenticator.
1016:
988:"NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management"
955:
804:
517:
1453:"The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes"
1066:
933:
541:
381:
341:
1503:
1495:
The Quest to
Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
631:
See the NIST Digital
Identity Guidelines for further discussion of authenticator assurance levels.
881:
110:
1277:"Secure password-less sign-in for your Microsoft account using a security key or Windows Hello"
286:
The latter is called a test of user presence (TUP). To activate a single-factor authenticator (
1468:
1508:
1460:
1433:
995:
873:
783:
1452:
1029:
817:
229:
205:
An important type of hardware-based authenticator is called a security key, also called a
121:. Both avoid memorized secrets, and in the case of public-key cryptography, there are no
1526:
Lang, Juan; Czeskis, Alexei; Balfanz, Dirk; Schilder, Marius; Srinivas, Sampath (2016).
668:
the same name.) They found that most schemes do better than passwords on security while
544:(BLE). Concrete examples of FIDO2 platform authenticators include Windows Hello and the
1373:
307:
221:
206:
1148:
54:
Authenticators may be characterized in terms of secrets, factors, and physical forms.
1559:
1418:
1305:
1209:
1180:
1091:
959:
836:
652:
505:
378:
214:
133:
122:
91:
1497:. 2012 IEEE Symposium on Security and Privacy. San Francisco, CA. pp. 553–567.
885:
1368:
741:
470:
210:
118:
114:
775:
1527:
987:
433:
something that is unique to oneself"; e.g. fingerprint, face or voice recognition
90:
An authenticator secret known to both the claimant and the verifier is called a
20:
1493:
Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012).
1451:
Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012).
1254:"Web Authentication: An API for accessing Public Key Credentials Level 1"
655:(VoIP) accounts are not routinely protected with multi-factor authentication.
565:
528:
524:
481:
454:
An ATM card is an example of a multi-factor authenticator. The card itself is
428:
396:
237:
233:
187:
80:
1472:
1302:"Android Now FIDO2 Certified, Accelerating Global Migration Beyond Passwords"
788:
19:
For the role of the authenticator in the 802.1X authentication protocol, see
1437:
1280:
1000:
314:(OATH) launched a year later. Two IETF standards grew out of this work, the
934:"This smart ring gives you instant mobile payments with beefed up security"
877:
1528:"Security Keys: Practical Cryptographic Second Factors for the Modern Web"
509:
294:
76:
32:
1512:
591:
In practice, a common approach is to combine a password authenticator (
113:. Depending on the key material, a cryptographic authenticator may use
224:) may be implemented on a general-purpose electronic device such as a
1153:
225:
42:
while the party verifying the identity of the claimant is called the
1464:
1175:
Balfanz, Dirk; Birgisson, Arnar; Lang, Juan, eds. (11 April 2017).
1117:
1115:
1113:
774:
Grassi, Paul A.; Garcia, Michael E.; Fenton, James L. (June 2017).
1253:
1230:
344:, a phone-based authenticator that implements both HOTP and TOTP.
1124:"A Guide to Common Types of Two-Factor Authentication on the Web"
504:
The FIDO U2F protocol standard became the starting point for the
1426:
International
Journal of Network Security & Its Applications
776:"NIST Special Publication 800-63-3: Digital Identity Guidelines"
1457:
Technical Report - University of
Cambridge. Computer Laboratory
1397:"Passwords Evolved: Authentication Guidance for the Modern Era"
236:. For example, a software-based authenticator implemented as a
174:
An authenticator is something unique or distinctive to a user (
1459:. Cambridge, UK: University of Cambridge Computer Laboratory.
648:
533:
253:
1328:"Two-factor authentication (2FA); new guidance from the NCSC"
1122:
Hoffman-Andrews, Jacob; Gebhart, Gennie (22 September 2017).
587:
Use a combination of two or more single-factor authenticators
279:
The claimant places their finger on a fingerprint reader, or
1419:"An Ancient Indian Board Game as a Tool for Authentication"
451:
reports success to the ATM and the transaction continues.
1369:"The World's First Computer Password? It Was Useless Too"
624:
A multi-factor cryptographic hardware-based authenticator
395:
A U2F authenticator interoperates with a conforming web
276:
The claimant types a password into a password field, or
1045:"Open Authentication Reference Architecture Announced"
908:"Why can't Wear OS smartwatches be security keys too?"
576:
First and foremost, strong authentication begins with
458:
while the PIN stored on the card's chip is presumably
140:
By way of counterexample, a password authenticator is
1417:
Malempati, Sreelatha; Mogalla, Shashi (2011-07-31).
859:"Wearable authentication: Trends and opportunities"
220:A software-based authenticator (sometimes called a
769:
767:
765:
763:
298:shared secret, user authentication is successful.
282:The claimant presses a button to indicate approval
1533:. Financial Cryptography and Data Security 2016.
981:
979:
977:
340:A well-known example of an OATH authenticator is
128:Examples of cryptographic authenticators include
109:A cryptographic authenticator is one that uses a
992:National Institute of Standards and Technology
780:National Institute of Standards and Technology
706:"National Information Assurance (IA) Glossary"
329:) is often combined with a one-time password (
1067:"OATH Specifications and Technical Resources"
516:(CTAP). Together WebAuthn and CTAP provide a
320:Time-based One-time Password (TOTP) algorithm
316:HMAC-based One-time Password (HOTP) algorithm
8:
1199:
1197:
125:as well, which is an important distinction.
435:), or some other verification technique. ,
1231:"FIDO2: Moving the World Beyond Passwords"
1502:
1206:"Client to Authenticator Protocol (CTAP)"
999:
787:
599:) such as a cryptographic authenticator.
568:("something that is unique to oneself").
746:Institute for Telecommunication Sciences
956:"Case Study: Google Security Keys Work"
697:
357:) is usually combined with a password (
144:a cryptographic authenticator. See the
1347:"Here's Why Is Not a Password Killer"
1025:
1014:
831:Lindemann, Rolf, ed. (11 April 2017).
813:
802:
713:Committee on National Security Systems
603:
857:Bianchi, Andrea; Oakley, Ian (2016).
742:"Glossary of Telecommunication Terms"
476:To avoid theft, the SSH private key (
7:
1367:McMillan, Robert (27 January 2012).
1043:Kucan, Berislav (24 February 2004).
615:NIST authenticator assurance levels
1275:Simons, Alex (November 20, 2018).
1096:Initiative for Open Authentication
1071:Initiative for Open Authentication
312:Initiative for Open Authentication
16:Means to confirm a user's identity
14:
1256:. World Wide Web Consortium (W3C)
645:public switched telephone network
595:) with some other authenticator (
932:Williams, Brett (27 June 2017).
895:from the original on 2022-10-09.
584:Use a multi-factor authenticator
514:Client to Authenticator Protocol
401:Client to Authenticator Protocol
1540:from the original on 2022-10-09
722:from the original on 2022-10-09
170:Authenticator factors and forms
1345:Hunt, Troy (5 November 2018).
1332:National Cyber Security Centre
1128:Electronic Frontier Foundation
85:personal identification number
1:
906:Stein, Scott (26 July 2018).
527:that implements the WebAuthn
242:trusted execution environment
145:
268:Single-factor authenticators
248:(TPM) on the client device.
178:), is activated by either a
79:, also called a passcode, a
1395:Hunt, Troy (26 July 2017).
866:It - Information Technology
604:cryptographic authenticator
578:multi-factor authentication
556:) is activated by either a
494:passwordless authentication
480:) may be encrypted using a
411:Multi-factor authenticators
192:multi-factor authentication
1582:
643:Currently, the use of the
115:symmetric-key cryptography
18:
1177:"FIDO U2F JavaScript API"
833:"FIDO Technical Glossary"
686:Electronic authentication
635:Restricted authenticators
492:via SSH is an example of
486:something that one knows
443:To withdraw cash from an
369:process can not proceed.
209:(not to be confused with
789:10.6028/NIST.SP.800-63-3
593:something that one knows
562:something that one knows
546:Android operating system
538:near-field communication
512:) standard and the FIDO
460:something that one knows
445:automated teller machine
425:something that one knows
359:something that one knows
327:something that one knows
325:A traditional password (
184:something that one knows
1438:10.5121/ijnsa.2011.3414
1001:10.6028/NIST.SP.800-63b
246:Trusted Platform Module
161:Public-private key pair
119:public-key cryptography
1149:"Google Authenticator"
1024:Cite journal requires
878:10.1515/itit-2016-0010
812:Cite journal requires
602:Generally speaking, a
597:something that one has
554:something that one has
520:solution for the web.
478:something that one has
456:something that one has
417:something that one has
386:something that one has
355:something that one has
331:something that one has
288:something that one has
176:something that one has
166:of the authenticator.
518:strong authentication
384:(U2F) authenticator (
148:section for details.
58:Authenticator secrets
1092:"OATH Certification"
542:Bluetooth Low Energy
419:) is activated by a
382:Universal 2nd Factor
342:Google Authenticator
1334:(NCSC). 8 Aug 2018.
1308:. February 25, 2019
1047:. Help Net Security
132:authenticators and
1513:10.1109/SP.2012.44
962:. 7 December 2016
715:. 26 April 2010.
111:cryptographic key
105:Cryptographic key
1573:
1550:
1549:
1547:
1545:
1539:
1532:
1523:
1517:
1516:
1506:
1490:
1484:
1483:
1481:
1479:
1448:
1442:
1441:
1423:
1414:
1408:
1407:
1405:
1403:
1392:
1386:
1385:
1383:
1381:
1364:
1358:
1357:
1355:
1353:
1342:
1336:
1335:
1324:
1318:
1317:
1315:
1313:
1298:
1292:
1291:
1289:
1287:
1272:
1266:
1265:
1263:
1261:
1249:
1243:
1242:
1240:
1238:
1227:
1221:
1220:
1218:
1216:
1201:
1192:
1191:
1189:
1187:
1172:
1166:
1165:
1163:
1161:
1145:
1139:
1138:
1136:
1134:
1119:
1108:
1107:
1105:
1103:
1088:
1082:
1081:
1079:
1077:
1063:
1057:
1056:
1054:
1052:
1040:
1034:
1033:
1027:
1022:
1020:
1012:
1010:
1008:
1003:
983:
972:
971:
969:
967:
952:
946:
945:
943:
941:
929:
923:
922:
920:
918:
903:
897:
896:
894:
863:
854:
848:
847:
845:
843:
828:
822:
821:
815:
810:
808:
800:
798:
796:
791:
771:
758:
757:
755:
753:
738:
732:
731:
729:
727:
721:
710:
702:
71:Memorized secret
1581:
1580:
1576:
1575:
1574:
1572:
1571:
1570:
1556:
1555:
1554:
1553:
1543:
1541:
1537:
1530:
1525:
1524:
1520:
1504:10.1.1.473.2241
1492:
1491:
1487:
1477:
1475:
1465:10.48456/tr-817
1450:
1449:
1445:
1421:
1416:
1415:
1411:
1401:
1399:
1394:
1393:
1389:
1379:
1377:
1366:
1365:
1361:
1351:
1349:
1344:
1343:
1339:
1326:
1325:
1321:
1311:
1309:
1300:
1299:
1295:
1285:
1283:
1274:
1273:
1269:
1259:
1257:
1251:
1250:
1246:
1236:
1234:
1233:. FIDO Alliance
1229:
1228:
1224:
1214:
1212:
1203:
1202:
1195:
1185:
1183:
1174:
1173:
1169:
1159:
1157:
1147:
1146:
1142:
1132:
1130:
1121:
1120:
1111:
1101:
1099:
1090:
1089:
1085:
1075:
1073:
1065:
1064:
1060:
1050:
1048:
1042:
1041:
1037:
1023:
1013:
1006:
1004:
985:
984:
975:
965:
963:
954:
953:
949:
939:
937:
931:
930:
926:
916:
914:
905:
904:
900:
892:
861:
856:
855:
851:
841:
839:
830:
829:
825:
811:
801:
794:
792:
773:
772:
761:
751:
749:
748:. 7 August 1996
740:
739:
735:
725:
723:
719:
708:
704:
703:
699:
694:
682:
661:
637:
617:
574:
502:
468:
441:
413:
375:
350:
304:
270:
262:
230:tablet computer
172:
163:
154:
107:
73:
60:
52:
24:
17:
12:
11:
5:
1579:
1577:
1569:
1568:
1566:Authentication
1558:
1557:
1552:
1551:
1518:
1485:
1443:
1432:(4): 154–163.
1409:
1387:
1374:Wired magazine
1359:
1337:
1319:
1293:
1267:
1244:
1222:
1193:
1167:
1140:
1109:
1083:
1058:
1035:
1026:|journal=
973:
947:
924:
898:
872:(5): 255–262.
849:
823:
814:|journal=
759:
733:
696:
695:
693:
690:
689:
688:
681:
678:
660:
657:
636:
633:
629:
628:
625:
616:
613:
589:
588:
585:
573:
570:
501:
498:
467:
464:
440:
437:
412:
409:
374:
371:
349:
346:
308:RSA Conference
303:
300:
284:
283:
280:
277:
269:
266:
261:
258:
222:software token
215:session tokens
207:security token
171:
168:
162:
159:
153:
150:
123:shared secrets
106:
103:
72:
69:
59:
56:
51:
50:Classification
48:
15:
13:
10:
9:
6:
4:
3:
2:
1578:
1567:
1564:
1563:
1561:
1536:
1529:
1522:
1519:
1514:
1510:
1505:
1500:
1496:
1489:
1486:
1474:
1470:
1466:
1462:
1458:
1454:
1447:
1444:
1439:
1435:
1431:
1427:
1420:
1413:
1410:
1398:
1391:
1388:
1376:
1375:
1370:
1363:
1360:
1348:
1341:
1338:
1333:
1329:
1323:
1320:
1307:
1306:FIDO Alliance
1304:. BARCELONA:
1303:
1297:
1294:
1282:
1278:
1271:
1268:
1255:
1248:
1245:
1232:
1226:
1223:
1211:
1210:FIDO Alliance
1207:
1200:
1198:
1194:
1182:
1181:FIDO Alliance
1178:
1171:
1168:
1156:
1155:
1150:
1144:
1141:
1129:
1125:
1118:
1116:
1114:
1110:
1097:
1093:
1087:
1084:
1072:
1068:
1062:
1059:
1046:
1039:
1036:
1031:
1018:
1002:
997:
993:
989:
982:
980:
978:
974:
961:
960:FIDO Alliance
957:
951:
948:
935:
928:
925:
913:
909:
902:
899:
891:
887:
883:
879:
875:
871:
867:
860:
853:
850:
838:
837:FIDO Alliance
834:
827:
824:
819:
806:
790:
785:
781:
777:
770:
768:
766:
764:
760:
747:
743:
737:
734:
718:
714:
707:
701:
698:
691:
687:
684:
683:
679:
677:
673:
671:
665:
658:
656:
654:
653:Voice over IP
650:
646:
641:
634:
632:
626:
623:
622:
621:
614:
612:
608:
605:
600:
598:
594:
586:
583:
582:
581:
579:
572:Security code
571:
569:
567:
563:
559:
555:
549:
547:
543:
539:
535:
530:
526:
521:
519:
515:
511:
507:
506:FIDO2 Project
499:
497:
495:
489:
487:
483:
479:
474:
472:
465:
463:
461:
457:
452:
448:
446:
438:
436:
434:
430:
426:
422:
418:
410:
408:
404:
402:
398:
393:
389:
387:
383:
380:
372:
370:
366:
362:
360:
356:
347:
345:
343:
338:
334:
332:
328:
323:
321:
317:
313:
309:
301:
299:
296:
291:
289:
281:
278:
275:
274:
273:
267:
265:
259:
257:
255:
249:
247:
243:
239:
235:
231:
227:
223:
218:
216:
212:
211:access tokens
208:
203:
199:
195:
193:
189:
185:
181:
177:
169:
167:
160:
158:
152:Symmetric key
151:
149:
147:
143:
138:
135:
131:
126:
124:
120:
116:
112:
104:
102:
100:
95:
93:
92:shared secret
88:
86:
82:
78:
70:
68:
64:
57:
55:
49:
47:
45:
41:
36:
34:
29:
28:authenticator
22:
1542:. Retrieved
1521:
1494:
1488:
1476:. Retrieved
1456:
1446:
1429:
1425:
1412:
1400:. Retrieved
1390:
1378:. Retrieved
1372:
1362:
1350:. Retrieved
1340:
1322:
1310:. Retrieved
1296:
1284:. Retrieved
1270:
1258:. Retrieved
1247:
1235:. Retrieved
1225:
1213:. Retrieved
1184:. Retrieved
1170:
1158:. Retrieved
1152:
1143:
1131:. Retrieved
1100:. Retrieved
1086:
1074:. Retrieved
1061:
1049:. Retrieved
1038:
1017:cite journal
1005:. Retrieved
964:. Retrieved
950:
938:. Retrieved
927:
915:. Retrieved
911:
901:
869:
865:
852:
840:. Retrieved
826:
805:cite journal
793:. Retrieved
750:. Retrieved
736:
724:. Retrieved
700:
674:
669:
666:
662:
642:
638:
630:
618:
609:
601:
596:
592:
590:
575:
561:
553:
550:
522:
503:
490:
485:
477:
475:
471:Secure Shell
469:
466:Secure Shell
459:
455:
453:
449:
442:
432:
424:
416:
414:
405:
394:
390:
385:
376:
367:
363:
358:
354:
351:
339:
335:
330:
326:
324:
305:
292:
287:
285:
271:
263:
250:
219:
204:
200:
196:
183:
175:
173:
164:
155:
141:
139:
127:
108:
101:the secret.
98:
96:
89:
74:
65:
61:
53:
43:
39:
37:
27:
25:
348:Mobile Push
186:), or is a
21:IEEE 802.1X
1260:30 January
1237:30 January
1160:3 February
1102:3 February
1007:5 February
936:. Mashable
795:5 February
692:References
659:Comparison
540:(NFC), or
529:JavaScript
525:user agent
482:passphrase
397:user agent
238:mobile app
234:smartphone
81:passphrase
1499:CiteSeerX
1473:1476-2986
1281:Microsoft
566:biometric
532:options:
429:biometric
188:biometric
146:#Examples
1560:Category
1544:26 March
1535:Archived
1478:22 March
1402:22 March
1380:22 March
1352:24 March
1215:22 March
1186:22 March
1133:26 March
1076:26 March
1051:26 March
994:(NIST).
966:26 March
940:31 March
917:31 March
890:Archived
886:12772550
842:26 March
782:(NIST).
752:31 March
726:31 March
717:Archived
680:See also
510:WebAuthn
439:ATM card
427:), or a
373:FIDO U2F
318:and the
302:OATH OTP
295:password
260:Examples
77:password
44:verifier
40:claimant
33:password
1312:6 March
1286:6 March
564:) or a
232:, or a
87:(PIN).
83:, or a
1501:
1471:
1154:GitHub
1098:(OATH)
1094:. The
884:
310:. The
226:laptop
1538:(PDF)
1531:(PDF)
1422:(PDF)
893:(PDF)
882:S2CID
862:(PDF)
720:(PDF)
709:(PDF)
670:every
500:FIDO2
244:or a
1546:2019
1480:2019
1469:ISSN
1404:2019
1382:2019
1354:2019
1314:2019
1288:2019
1262:2019
1239:2019
1217:2019
1188:2019
1162:2019
1135:2019
1104:2019
1078:2019
1053:2019
1030:help
1009:2019
968:2019
942:2019
919:2019
912:CNET
844:2019
818:help
797:2019
754:2019
728:2019
379:FIDO
228:, a
134:FIDO
130:OATH
1509:doi
1461:doi
1434:doi
996:doi
874:doi
784:doi
649:SMS
558:PIN
534:USB
421:PIN
254:USB
252:as
180:PIN
142:not
117:or
26:An
1562::
1507:.
1467:.
1455:.
1428:.
1424:.
1371:.
1330:.
1279:.
1208:.
1196:^
1179:.
1151:.
1126:.
1112:^
1069:.
1021::
1019:}}
1015:{{
990:.
976:^
958:.
910:.
888:.
880:.
870:58
868:.
864:.
835:.
809::
807:}}
803:{{
778:.
762:^
744:.
711:.
548:.
536:,
403:.
377:A
293:A
256:.
213:,
99:is
35:.
1548:.
1515:.
1511::
1482:.
1463::
1440:.
1436::
1430:3
1406:.
1384:.
1356:.
1316:.
1290:.
1264:.
1241:.
1219:.
1190:.
1164:.
1137:.
1106:.
1080:.
1055:.
1032:)
1028:(
1011:.
998::
970:.
944:.
921:.
876::
846:.
820:)
816:(
799:.
786::
756:.
730:.
560:(
552:(
484:(
431:(
423:(
353:(
182:(
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.