Platform authenticators in the context of FIDO2 passkeys refer to authentication methods that are built directly into the device or platform, such as biometric sensors (e.g., fingerprint, or facial recognition) or device-specific security features (e.g., Windows Hello or Touch ID on Apple devices). These authenticators leverage the device's hardware and software to create and store cryptographic keys used for passwordless authentication. Platform authenticators are highly secure because they are tightly integrated with the device, making them resistant to phishing and other common attacks. The private key never leaves the device, while the public key is sent to the service provider for authentication purposes. When the user tries to access an application, the device performs a local authentication and uses the private key to sign a challenge from the service. The public key is used by the service provider to verify the authenticity of the signed challenge, enabling secure access. This approach enhances both security and user experience by eliminating the risks of password theft, phishing, and credential reuse. They provide a seamless and convenient user experience, as authentication can be performed quickly without the need for additional hardware or external tokens.

For modern desktops and laptops, the Unifyia platform supports passkey (FIDO2) issuance and storage using TPM (Trusted Platform Module) or secure enclaves, which protect private keys from unauthorized access, ensuring they remain secure on the device.