The password crisis has reached its inevitable conclusion. After decades of security breaches, compromised credentials, and endless reminders to use "stronger passwords," the tech industry has collectively acknowledged that human beings simply cannot be trusted with secrets. The solution? Passkeys—a new type of credential designed to replace the vulnerable passwords we've long relied on.

Article illustration 1

But as with any technological revolution, the implementation is more complex than the promise. Passkeys aren't just a different way to type credentials; they represent a fundamental shift in authentication architecture. At the heart of this shift is the authenticator—the component that creates, stores, and manages your passkeys.

In the world of passkeys, there are three types of authenticators: platform, virtual, and roaming. While platform authenticators are built into your devices (like Apple's Face ID or Windows Hello), and roaming authenticators are physical security keys you carry with you, virtual authenticators represent the software-only approach that most people are already using—whether they realize it or not.

The BYO Authenticator Revolution

Virtual authenticators are essentially "Bring Your Own" (BYO) authenticators. Unlike platform authenticators that are deeply integrated with your device's hardware and operating system, virtual authenticators are third-party software solutions that you install and configure to handle your passkey credentials.

"The authenticator is critical to any passkey-based workflow," explains David Berlind in his ZDNET series. "While the authenticator is typically offered as an integral component of your password manager, it is sometimes packaged as a separate component."

This is where most password managers come into play. Services like 1Password, BitWarden, Dashlane, LastPass, and NordPass don't just store your passwords—they function as full-fledged virtual authenticators, managing your passkeys with the same security and convenience you've come to expect.

Why Virtual Authenticators Matter

The primary advantage of virtual authenticators lies in their flexibility and cross-platform compatibility. While platform authenticators like Apple's iCloud Keychain are limited to Apple ecosystems and Microsoft's authenticator favors Windows devices, virtual authenticators typically support a wide range of platforms and browsers.

"Whereas platform authenticators and their associated credential management capabilities tend to offer limited functionality and configurability, third-party virtual authenticators typically provide a wide variety of user-friendly features that make them more attractive to certain users with specific preferences," Berlind notes.

This cross-platform support is crucial for the passwordless future. As more websites and apps adopt passkeys, users will need authenticators that work seamlessly across their various devices—whether they're using a MacBook at work, a Windows PC at home, or an Android phone on the go.

The Security Trade-Offs

Virtual authenticators do come with some security considerations that distinguish them from their platform counterparts. Unlike platform authenticators that leverage dedicated security hardware (like Apple's Secure Enclave or TPM chips in Windows devices), virtual authenticators perform cryptographic operations in software.

"Instead of using an authenticator that's already built into your device and largely controlled by its operating system (as is the case with platform authenticators from Apple and Microsoft), you install and configure a third-party substitute to take over the role of authenticator and credential manager," Berlind explains.

This software-only approach means virtual authenticators must rely more heavily on the security of the underlying operating system and the robustness of their own implementation. However, leading password managers have invested heavily in security measures to protect these credentials, including encryption, secure storage, and multi-factor authentication.

The Competitive Landscape

The market for virtual authenticators is competitive, with vendors differentiating themselves through features, pricing, and platform support. Some, like BitWarden, offer free versions alongside more feature-rich paid options. Others focus on specific niches—some cater to enterprise needs, while others are optimized for individual users.

"The vendors behind these virtual authenticators know they're competing not only with the cost-free nature of platform authenticators (which are built into various operating systems and browsers). The vendors also know they're competing with each other on the basis of the platforms and browsers they support," Berlind observes.

This competition has driven innovation, with virtual authenticators offering features that platform authenticators often lack, such as advanced password generation, secure note storage, and breach monitoring.

The Synchronization Question

One of the most important considerations for virtual authenticators is how they synchronize your credentials across devices. Most offer cloud-based synchronization through their own infrastructure, allowing you to access your passkeys from any device where you've installed the application.

"In the same way that Apple and Microsoft utilize their clouds as credential synchronization hubs, most virtual authenticators offer synchronization capabilities through their own clouds, and some even allow customers to substitute their own synchronization hubs," Berlind writes.

This self-hosting capability is particularly valuable for organizations with strict data sovereignty requirements or concerns about storing sensitive credentials in third-party clouds.

The Future of Authentication

As more websites and apps adopt passkeys, understanding the different authenticator types will become increasingly important. While platform authenticators offer convenience for users deeply embedded in specific ecosystems, and roaming authenticators provide maximum security for high-risk applications, virtual authenticators strike a balance between security, convenience, and flexibility.

For most users, the password manager they already trust has quietly evolved into a sophisticated passkey authenticator, ready to power their passwordless future. Whether you knew it or not, you're already part of the authentication revolution.

As we continue this journey toward a passwordless world, the choice of authenticator will become as important as the choice of password manager was in the previous era. And for those who value cross-platform compatibility, feature-rich functionality, and the convenience of a single solution for all their authentication needs, the virtual authenticator may very well be the key to a more secure digital future.