Authenticator Types
Learn about the authenticators supported by OTP Guard, and clear up some of the confusing technologies and terminology in the authentication space.
Last updated
Learn about the authenticators supported by OTP Guard, and clear up some of the confusing technologies and terminology in the authentication space.
Last updated
OTP Guard supports three main types of authenticators:
TOTP - A time-based six-digit code, typically accessed through a mobile app such as Google Authenticator
Platform Authenticator - the authenticators built into your browser such as Apple iCloud Keychain, Windows Hello, Chrome Password Manager, among others.
Security Key - Physical USB devices such as a
For the best security, we recommend security keys, because they typically need physical interaction - usually a tap - in order to be used. Malware can't press a button.
If your organization requires biometric or PIN authentication on top of the security key, please .
Platform authenticators are a good middle ground for organizations that have not yet deployed widespread security keys. Additionally, some WebAuthN implementations such as iCloud Keychain will sync keys across all your connected devices.
TOTP is the type of authenticator that would be familiar to most people. This is the most common second-factor outside of . However, TOTP is somewhat vulnerable: it can be or even stolen if the TOTP secret key is stored alongside a username and password.
Under the hood, OTP Guard implements to support platform and security key authenticators. Most Webauthn-compliant device or integrations should work with OTP Guard as long as they are accessible via the internal or usb - which map to platform authenticators and security keys, respectively.
Support for NFC (near-field communication) or Bluetooth Low Energy is untested and disabled for now. If you need support for NFC or BLE authenticators, please .
Passkeys are a new WebAuthn-based login mechanism that is becoming more common. The term 'passkey' can cover multiple types of authenticators, and is usually used specifically in the context of logging into a website or service.
E-mails are generally not considered secure as a second factor for authentication. In some cases, email can be used as a primary factor for logins, and there are ways to securely use emailed verification codes. However, email should not be relied on as an additional security factor, and OTP Guard does not support authentication via email.
Since OTP Guard does not use WebAuthn for logins, we do not describe our authenticators as 'passkeys' to minimize confusion in an already-confusing space. If this just makes things even more confusing, then we apologize. Please how things could be more clear.
SMS - mobile text messages - are the most common form of second factor authentication. However, SMS has shown to be insecure as a second factor, due to attacks. OTP Guard does not support SMS as an authentication method.
