Follow ZDNET: Add us as a preferred source<!–> on Google.
ZDNET’s key takeaways
- Passkeys are on a course to replace most passwords.
- Using passkeys involves a delicate balance of multiple technologies.
- One of those technologies is the “authenticator,” of which there are multiple types.
In ZDNET’s six-part series on how passkeys work and why the passwordless technology produces a significantly more secure login credential than typical usernames and passwords, I spilled a good deal of digital ink on the special role played by the authenticator.
Also: How passkeys work: The complete guide to your inevitable passwordless future
Each time you register or use a passkey, you’re typically encountering four quasi-independent entities that, with the help of some relatively new standards, are integrated with one another to produce an end-to-end passkey user experience.
What is a passkey authenticator?
The first of these entities is the authenticator – not Google’s Authenticator or Microsoft’s Authenticator, necessarily; rather, it’s usually an integral component of your password manager. In fact, given the degree to which authenticators are typically built into password managers, the phrase “authenticator” is often omitted from discussions about credential management. However, since authenticators can also exist as stand-alone components (separate from any password management capabilities), it’s helpful to consider their unique role as independent actors in any passkey workflow.
The next of the four entities is the website/app (aka the “relying party”), which is represented by the server-side components that handle end-user authentication requests. The other two entities are the operating system and web browser found on the device that the user is working with at the moment they begin a passkey-related workflow. Of the four entities, the authenticator’s role is probably the most confusing to users, but it is also the most strategic when preparing for the passwordless future that awaits us.
Passkeys: Because we’re our own worst enemy
Passkeys are coming to many of the websites and applications you use. As painful as this transition will be for many users and organizations, it cannot happen soon enough. Barely a day goes by without another headline in the mainstream media about some new breach that compromised tens or hundreds of thousands of customer or patient records.
Although the cause is rarely disclosed, the majority of these infiltrations typically begin when an employee or contractor for the affected organization is successfully socially engineered into disclosing their login credentials for a corporate application. This madness needs to stop. And, with research showing how 98% of users continue to let their guards down even after completing cybersecurity training, passkeys are currently the most promising defense available.
Also: Phishing training doesn’t stop your employees from clicking scam links – here’s why
Unfortunately, most SaaS apps aren’t doing enough to wean customers off of passwords in favor of passkeys. In some cases where the transition is happening, passkeys will replace traditional usernames and passwords altogether. In others, passkeys will co-exist as an alternative to passwords. Either way, once some of the relying parties you work with start to make that transition, you will have no choice but to rely on one or more authenticators to handle your passkey-based logins.
Unlike with user IDs and passwords, a passkey cannot be conjured from memory and manually entered from a keyboard. Instead, your chosen authenticator automatically takes care of that on your behalf. For this reason, it’s worth taking the time to understand the three official types of passkey authenticators available to you, the use cases to which each type applies, and how to approach authenticators as you start to prepare for the passwordless journey ahead.
The good news is that any authenticator choices you make today are not set in stone. You can always switch. The bad news? The further down the road you go with the authenticator(s) you pick today (yes, you can and might decide to simultaneously work with multiple authenticators), the harder it could be to switch in the future.
The goal of this new series is to help you make the best choices today so that you can avoid a painful migration tomorrow.
Authenticator terminology: A source of passkey confusion
The invention of passkeys was brought to us, in part, by the FIDO Alliance. Actually, it was one of the FIDO Alliance members – Apple – that memorialized the phrase “passkey” as a friendly nickname for FIDO’s FIDO2 Specification, which itself is a combination of two other standards: the World Wide Web consortium’s WebAuthn specification for passwordless authentication on the web and FIDO’s Client-to-Authenticator Protocol (CTAP).
The “authenticator” in the phrase “client-to-authenticator” refers to the same authenticator that this article discusses. The client, in most cases, is your web browser or your device’s equivalent operating system component for processing in and outbound web traffic.
Also: I’m ditching passwords for passkeys for one reason – and it’s not what you think
Since Apple first introduced the –>term<!–> “passkey” at its 2021 Worldwide Developers Conference, the rest of the industry has adopted it. Unfortunately, that might have been the peak for passkey marketing. Today’s confusing passkey word salad has become a public relations problem for an otherwise very promising technology.
For example, as implied earlier, two other prominent FIDO Alliance members – Google and Microsoft – each offer an application called “Authenticator.” In Google’s case, Google Authenticator is a lot like Symantec VIP in that it’s dedicated to the generation of timed one-time passcodes (TOTPs) for use as second factors of authentication (typically, ones that go with user IDs and passwords).
Microsoft’s Authenticator also supports TOTPs and, until July 2025, served as a credential manager capable of managing and autofilling usernames, passwords, and passkeys. Then, it stripped its Authenticator of the username and password autofill capabilities while preserving support for TOTPs and a limited type of passkey; the device-bound passkey (discussed later in this series). For Microsoft, comprehensive user ID and password autofill support can now be found in the company’s Edge browser instead of Microsoft Authenticator.
Authenticator types: Platform, virtual, and roaming
On devices running Windows 10 and above, Microsoft currently offers support for passkeys through the operating system, the Edge browser, and the Trusted Platform Module (TPM); the latter is a secure hardware element that serves as a unique cryptographic root of trust for all modern Windows-capable computers. Given that passkey support is built into the operating system, Microsoft’s passkey technology is considered a platform authenticator, similar in nature to Apple’s iCloud Keychain.
Also: Inside every password manager is a virtual passkey authenticator – here’s why it matters
Meanwhile, there’s a class of passkey-compliant authenticators that I refer to as the BYO authenticators. The WebAuthn standard officially refers to these as “virtual authenticators.” These consist mainly of third-party offerings from 1Password, Bitwarden, LastPass, NordPass, and others that, in an unusual form of self-inflicted injustice, undersell themselves as “password managers.” But, in addition to supporting username/password-type credentials, they also support passkey-type credentials (the antitheses of passwords). So, they’re not just password managers. They’re really credential managers that happen to have passkey authenticators built into them. Confused yet? Wait, there’s more.
Of the three different types of passkey authenticators, Yubico’s Yubikey 5C NFC is considered to be a Roaming Authenticator.
Yubico
There’s another kind of passkey authenticator – a roaming authenticator – that’s commonly referred to as a security key. But a security key is not a passkey. Security keys like Yubico’s YubiKey and Google’s Titan are physical devices that you can carry in your pocket. They can act both as passkey authenticators and additional physical factors (the “what you have” factor) for non-passkey authentications. However, whereas the YubiKey supports TOTPs (and hash-based OTPs), Google really leaves the OTP gig to its aforementioned Authenticator app. (In a bit of a hack, our sister site PCMag.com notes that users can get TOTP and HOTP support from a Google Titan by using the Yubico app that’s normally paired with a YubiKey!)
Also: The best security keys: Expert tested
These confusing differences across all authenticator types and choices should not be taken lightly. Understanding the technical nuances will set you up for long-term credential success.
The three primary types of passkey authenticators – platform, virtual, and roaming – are mainly defined in the WebAuthn standard upon which passkeys (aka “FIDO2 Credentials”) are partially based. The next three parts of ZDNET’s guide to passkey authenticators describe, respectively, these three types of authenticators.
–>
