What is the difference between a platform and a roaming authenticator?

A platform authenticator is tied to a specific device (laptop TPM, phone secure enclave) and produces credentials that stay on that device. A roaming authenticator (USB / NFC / Bluetooth security key) is portable and can sign across multiple devices. Both implement WebAuthn; the operational properties differ.

Which authenticator type should we deploy for our workforce?

For most modern workforces the right answer is both. Platform authenticators give a frictionless daily-sign-in path on managed devices; roaming authenticators cover account recovery, BYOD, shared workstations, and high-assurance access. Treating them as substitutes leads to either UX friction or recovery dead-ends.

How does caBLE / hybrid transport fit in?

Hybrid transport (originally called caBLE) lets a phone act as a roaming authenticator over Bluetooth + a QR-code handshake. This is convenient as a recovery path but should not be the primary roaming credential for high-assurance access — the trust chain runs through the phone vendor's sync fabric.

platform authenticatorCornerstonePublished 2026-05-09Updated 2026-05-0922 min read

Platform vs Roaming Authenticators.

Platform-bound and roaming authenticators are both first-class WebAuthn citizens. The deployment choice is operational: which form factor matches your users, your assurance requirements, and your budget. The right answer is usually both.

The two categories

WebAuthn distinguishes two authenticator attachments. Platform authenticators are bound to the device the user is signing in from — Touch ID on a MacBook, Windows Hello on a Windows laptop, Android Strongbox on an Android phone. The credential lives inside that specific device's secure element. Roaming authenticators are external devices that move between hosts — YubiKeys, smart cards, OnePass devices. Plug them in, tap them, sign across whichever device the user is at.

Both are first-class WebAuthn citizens. The protocol does not prefer one over the other. The deployment choice is operational: which form factor matches your users' work patterns, your assurance requirements, and your budget.

Platform authenticators — what they are

Platform authenticators are integrated into the user's existing device. They use the device's existing secure element / TPM / secure enclave. They have no separate procurement, no shipping, no chain-of-custody — the device the user already has becomes the authenticator.

The major implementations:

Apple Touch ID / Face ID (macOS, iOS) — backed by the Secure Enclave Processor (SEP). Returns fmt: "apple" attestation; AAGUID is per-OS-version cohort, not per-device.
Windows Hello (Windows 10+) — backed by TPM 2.0 (most laptops) or fTPM (firmware TPM in CPU). Returns fmt: "tpm" with verifiedBootState in the attestation chain.
Android Keystore + Strongbox — Strongbox uses a discrete tamper-resistant secure element on supported devices (Pixel 3+, Samsung Galaxy S10+ on Knox). Returns fmt: "android-key" with a hardware-attested chain.
Browser-mediated synced passkeys — Chrome (Google Password Manager), Safari (iCloud Keychain), Edge (Windows Hello + Microsoft account). These are platform authenticators that, when the user opts in, become syncable across the user's devices in the platform vendor's ecosystem.

Roaming authenticators — what they are

Roaming authenticators are external hardware that connects to the host via USB-HID, NFC, or BLE. They contain a secure element dedicated to FIDO operations. They are not bound to any single device; tap or insert into whichever host the user is at.

The major implementations:

USB security keys (YubiKey 5, Token2 T2F2, OnePass USB Key, Feitian K9) — USB-A or USB-C, optional NFC. Battery-free; the host powers them. FIDO L2 is typical; CC EAL5+ secure elements available.
FIDO smart cards (OnePass Card, IDEMIA, Thales) — ISO 7810 ID-1 form factor. NFC + USB-C; brandable. Often combined with PIV for legacy compatibility and with employee-ID printing for badge use.
Bluetooth security keys (Token2 T2F2 BLE, Feitian Multipass) — rare; mostly relevant for tablet / phone use cases without an NFC reader. Battery-powered; pair / unpair management overhead.
Mobile-as-roaming-authenticator — via the WebAuthn hybrid transport (caBLE), the user's phone can act as a roaming authenticator for sessions on another device. QR-code initiated, BLE proximity-checked.

The decision matrix

Property	Platform	Roaming
Per-user procurement cost	$0 (device exists)	$25 - $60 per authenticator
Cross-device portability	No (or via sync)	Yes (move physically)
Loss recovery	Tied to device replacement	Issue replacement; original revoked
Theft posture	Lose device, lose credential	Lose key, original device unaffected
Assurance level (default)	L1-L2 typical	L2-L3 typical (CC EAL5+ available)
BE flag (default)	1 if synced; 0 if not	0 (device-bound)
Provisioning	Self-service after device receipt	In-person / mailed-kit
UV (default)	Touch ID / Face ID / Hello	PIN entered into device
NFC support	Some devices	Most modern keys + smart cards

The right answer is “both”

For consumer use, platform-bound is the right default. Users have phones; phones have secure enclaves; passkey enrolment is one tap. The cost-per-user is zero. The friction is minimal. Recovery via cloud sync is acceptable for the consumer threat model.

For workforce use, roaming-as-primary, platform-as-secondary is the right default. Roaming gives you device-bound (BE=0) credentials that survive laptop replacement, that work across all the hosts a user touches, and that the security team can attestation-pin. Platform authenticators serve as the secondary — the user always has their phone, so a Touch ID / Hello credential is a useful backup.

Neither side should be exclusive. Users who lose their roaming authenticator should have a platform credential to fall back on. Users who lose their phone should have a roaming key to keep working. Defence in form factor.

Form-factor specifics

Smart cards

The strongest form factor for an enterprise that already issues badges. The card serves three roles — physical-access badge, FIDO authenticator, ID photo — on one piece of plastic. Issuance integrates with badge printing; lifecycle management ties into existing badge workflows. NFC + USB-C means the card works at every reader the user encounters.

OnePass Card ships with this posture. CC EAL5+ secure element, FIDO L2 certification, ISO 7810 ID-1 dimensions. PIV-compatible for legacy systems that haven't migrated to FIDO yet.

USB keys

The simplest form factor. Plug it in, tap when prompted. Less ceremonial than smart cards; less brand-able. Works great for engineers who live in laptops. Less great for environments where the laptop port is occupied or where the user is mobile across many hosts (think: nurses moving between hospital workstations).

OnePass USB Key, USB-A and USB-C variants. Battery-free. NFC variants available for phone-tap.

Biometric smart cards

An emerging form factor: a smart card with an on-card fingerprint sensor. The fingerprint is matched on-card; the card emits the UV flag once matched. CTAP2.1 bio-enrolment; CC EAL5+ certified.

Use case: environments where typing a PIN is impractical (gloved hands, public areas with shoulder-surfing concern). The card is a single tap; the fingerprint is the UV. Slightly more expensive ($60-$80 per unit); better UX for the right context.

Provisioning paths by form factor

Platform authenticators provision themselves — the user signs in once, the browser prompts to add a passkey, done. Zero IT touch.

Roaming authenticators require provisioning. Three patterns by deployment type:

Pattern 1: IT desk on day 1

HR start date triggers IT desk visit. New hire receives card and key, enrols both. 15 minutes per user; scales to 50-100 enrolments per day per IT person. Right for in-office workforces.

Pattern 2: mailed kit + supervised enrolment

Tamper-evident envelope ships to user; Zoom session for supervised enrolment with an IT manager observing. The envelope is the chain-of-custody. Right for remote-first.

Pattern 3: enrolment kiosks

Self-service enrolment kiosks at office entrances. The kiosk is a hardened terminal that handles the enrolment session; identity-verification is by badge swipe + PIN. Right for very large workforces.

Recovery by form-factor combination

Recovery design depends on what authenticators the user has enrolled. The three-authenticator pattern (card + key + platform) is increasingly the default:

User enrols card + USB key on day 1.
User enrols a platform authenticator on their work phone within the first week.
Lose card → sign in with USB key, IT issues new card.
Lose USB key → sign in with card, IT issues new key.
Lose both at once (rare) → sign in with phone platform authenticator, IT issues both replacements.
Lose all three (very rare) → in-person identity verification, full re-enrolment.

This pattern degrades gracefully: each loss event has a working fallback. The compounding probability of losing all three at once is small enough that the in-person re-enrolment flow handles only a handful of cases per year per 10k users.

The hybrid (caBLE) transport — phone as roaming key

A useful intermediate: the user has a passkey on their phone (platform), and uses the phone as a roaming authenticator for sessions on a laptop they're at. The browser shows a QR code; the phone scans; BLE proximity check; phone signs the assertion.

This is excellent UX for the "I'm at my colleague's machine and need to check email" scenario. The trust model is the platform authenticator's trust model on the phone — same as if the user were signing in directly on the phone.

The friction: BLE pairing is sometimes finicky; the QR-scan ceremony has a learning curve; first-time hybrid use is slower than typing a password. After the first time, it becomes muscle memory.

Operational considerations

Lost-and-found rates

Real-world lost-key rates: 1.5-3% of authenticators per year, depending on form factor. Smart cards are lost more often than USB keys (left in slot reader at desk overnight, taken home in pocket, run through the wash). USB keys are lost less often but break more often (USB connector damage). Plan for both.

Battery considerations

Smart cards and USB keys are passive (powered by the host). No battery management. BLE keys have batteries; budget for 2-year battery life and pre-emptive replacement. Bio cards may have a small capacitor for the sensor; check vendor specs.

Compliance posture

Roaming hardware authenticators with FIDO L2 certification satisfy NIST AAL3 phishing-resistance requirements (provided UV is required). Platform authenticators on TPM 2.0 / Strongbox / Secure Enclave also satisfy AAL3 in most assessments. Confirm with your auditor whether attestation-pinning is required for your specific compliance regime.

Three deployment archetypes

Archetype 1: Tech company, 5,000 engineers

OnePass USB Key (USB-C) per engineer for laptops.
OnePass Card per engineer for office turnstile + desk reader.
Platform credentials on phone as backup.
BE=0 enforced for production access; BE=1 accepted for everyday SaaS.

Archetype 2: Healthcare, 50,000 nurses + clinicians

OnePass Bio Card per clinician (bio = no PIN typing in shared workstations).
NFC reader at every workstation; tap-to-sign workflow.
Platform credentials on assigned tablets.
UV required for prescription access; UP only for read-only chart review.

Archetype 3: Government agency, 100,000 employees

PIV+FIDO smart card per employee (legacy PIV compatibility + new FIDO).
USB key as secondary for users with laptops.
BE=0 enforced everywhere.
FIPS 140-2 level 3 secure element required; AAGUID allow-list pinned to FIPS-validated devices.

The bottom line

Platform vs roaming is not a binary. The right deployment uses both, in tiers, with a clear primary-secondary-tertiary structure. The form factor matters operationally: smart cards for badge-equipped workforces, USB keys for laptop-centric ones, biometric cards for shared-workstation contexts. Underneath, the protocol is the same; the variation is operational.