Examples of cryptographic authenticators are OATH authenticators and FIDO authenticators. As a counterexample, a password authenticator is not a cryptographic authenticator. For more information, see #Examples. These measures typically require users to not only enter their password when accessing accounts, but also to perform an additional step, such as providing a one-time code that is typically generated through an authenticator app. Launched in 2016, Microsoft Authenticator has since been used to enable easier and more secure logins, and also gives users the ability to sign in to their Microsoft accounts without a password. In practice, a common approach is to combine a password authenticator (something you know) with another authenticator (something you have) such as a cryptographic authenticator. Each authenticator is associated with at least one secret that the requester uses to prove ownership and control of the authenticator. Because an attacker could use this secret to impersonate a user, a secret authenticator secret must be protected from theft or loss. A public-private key pair is used to perform public-key cryptography.
The public key is known to (and trusted by) the verifier, while the corresponding private key is securely linked to the authenticator. In the case of a dedicated hardware authenticator, the private key never leaves the boundaries of the authenticator. Google Authenticator is a software authenticator from Google that implements two-step verification services using the time-based one-time password algorithm (TOTP; specified in RFC 6238) and the HMAC-based one-time password algorithm (HOTP; specified in RFC 4226) to authenticate users of software applications.  A platform authenticator is integrated with a specific client device platform, that is, it is implemented on the device. In contrast, a roaming authenticator is a cross-platform authenticator that is implemented outside the device. A roaming authenticator connects to a device platform using a transport protocol such as USB. To use a multifactor authentication, the requester performs a full user verification. The multifactor authenticator (something you have) is activated by a PIN (something you know) or biometric (something unique to you”; for example, fingerprint, face or speech recognition) or another verification technique. , in the authenticator app, select [three dots], then + Add Account. In general, a cryptographic authenticator is preferred to an authenticator that does not use cryptographic methods. If everything else is the same, a cryptographic authenticator that uses public-key cryptography is better than one that uses symmetric key cryptography because symmetric key cryptography requires shared keys (which can be stolen or misused).
It is convenient to describe an authenticator in relation to its hardware and software components. An authenticator is hardware-based or software-based, depending on whether the secret key is stored in the hardware or software. Using the terminology of the NIST Digital Identity Guidelines, the party to be authenticated is referred to as the applicant, while the party verifying the applicant`s identity is referred to as the verifier. If the applicant successfully demonstrates to the examiner the possession and control of one or more authenticators by means of an established authentication protocol, the examiner may infer the identity of the applicant. NIST defines three levels of security with respect to authenticators. The highest level of authenticator security (AAL3) requires multi-factor authentication using a multi-factor authenticator or an appropriate combination of single-factor authenticators. With AAL3, at least one of the authenticators must be a cryptographic hardware authenticator. Given these basic requirements, possible authenticator combinations used in AAL3 include: A FIDO2 authenticator can be used in single-factor mode or multi-factor mode. In single-factor mode, the authenticator is activated by a simple user presence test (e.g. a keystroke). In multi-factor mode, the authenticator (something you have) is activated by a PIN (something you know) or biometric (“something unique to you”).
This is not the case with an authenticator app, which makes it more secure. An important type of secret that is both memorized and shared is the password. In the particular case of a password, the authenticator is the secret.