# Authenticator Types ## Supported Authenticators OTP Guard supports three main types of authenticators: * ![](/files/bduv593NEwF6vNw8YGkq) **TOTP** - A time-based six-digit code, typically accessed through a mobile app such as Google Authenticator * ![](/files/ItpRJKlu99apkwBdf9Jx) **Platform Authenticator** - the authenticators built into your browser such as Apple iCloud Keychain, Windows Hello, Chrome Password Manager, among others. * **Security Key** - Physical USB devices such as a [Yubikey](https://www.yubico.com/products/security-key/) ## Recommendations For the best security, we recommend **security keys**, because they typically need physical interaction - usually a tap - in order to be used. Malware can't press a button. If your organization requires biometric or PIN authentication on top of the security key, please [contact us](mailto:support@transfix.ai). Platform authenticators are a good middle ground for organizations that have not yet deployed widespread security keys. Additionally, some WebAuthN implementations such as iCloud Keychain will sync keys across all your connected devices. TOTP is the type of authenticator that would be familiar to most people. This is the most common second-factor outside of [SMS](#sms). However, TOTP is somewhat vulnerable: it can be [phished](/phishing-resistance.md#totp) or even stolen if the TOTP secret key is stored alongside a username and password. ## WebAuthn Under the hood, OTP Guard implements [WebAuthn](https://webauthn.guide/#about-webauthn) to support platform and security key authenticators. Most Webauthn-compliant device or integrations should work with OTP Guard as long as they are accessible via the `internal` or `usb` [transports](https://www.w3.org/TR/webauthn-2/#enum-transport) - which map to platform authenticators and security keys, respectively. Support for NFC (near-field communication) or Bluetooth Low Energy is untested and disabled for now. If you need support for NFC or BLE authenticators, please [contact us](mailto:support@transfix.ai). ## Passkeys Passkeys are a new WebAuthn-based login mechanism that is becoming more common. The term 'passkey' can cover multiple types of authenticators, and is usually used specifically in the context of logging into a website or service. Since OTP Guard does not use WebAuthn for logins, we do not describe our authenticators as 'passkeys' to minimize confusion in an already-confusing space. If this just makes things even more confusing, then we apologize. Please [let us know](mailto:support@transfix.ai) how things could be more clear. ## SMS SMS - mobile text messages - are the most common form of second factor authentication. However, SMS has shown to be insecure as a second factor, due to [SIM swapping](https://en.wikipedia.org/wiki/SIM_swap_scam) attacks. OTP Guard does not support SMS as an authentication method. ## Email E-mails are generally not considered secure as a second factor for authentication. In some cases, email can be used as a primary factor for logins, and there are ways to securely use emailed verification codes. However, email should not be relied on as an additional security factor, and OTP Guard does not support authentication via email. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.otpguard.com/authenticator-types.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.