Authenticators
An authenticator is an extensible interface to enable users to authenticate. Authenticators use backend endpoints that verify a proof of the user's identity. Authenticators can also use frontends to collect input. Some authenticators implement complex security standards to enable connectivity with external systems.
Getting Started#
To create an authenticator, sign in to the Admin UI and navigate to Profiles → Authentication Service → Authenticators. Then select the + New Authenticator option to select from one of the built-in options.
Create an Authenticator
When getting started, choose a simple option like passwords.
Create a Client that uses the Authenticator
Next, create a client and configure it to use an authenticator.
Run a Code Flow
Next, the client triggers user authentication, most commonly with an OAuth code flow.
The Getting Started Guides on the Curity website guide you through these steps. Before integrating a client you can use OAuth Tools as a test client.
Authenticator Categories#
There are a number of authenticator categories that you can choose from to implement your user authentication requirements. They enable you to implement strong customer authentication (SCA) and also to blend security with user experience.
Standalone Authenticators
Options like passwords and passkeys provide a proof that the same user is present as previously. This type of authenticator requires no difficult user prerequisites and may provide built-in account recovery.
External Identity Providers
An authentication profile uses security standards to integrate with external identity providers (IDP). This enables the use of existing login policies for employees and business partners. Authenticators capture context from those systems, which your APIs can receive in tokens later.
One Time Passwords
An option like email authentication can enable a frictionless initial login before fully onboarding a user. Other similar authenticators include SMS and authenticator apps that use time-based one-time-passwords (TOTP). This type of authenticator is often used in a multi-factor flow or for account recovery.
Identifying Authenticators
Authenticators do not always need to verify the user’s identity. For example, the username authenticator plays a vital role in enabling tailored user experiences for different user types. The username authenticator enables routing to the user’s preferred authentication method(s).
Identity Proofing Authenticators
Some authenticators use strong security to provide a high level of assurance of the user’s identity. For example, BankID is commonly used in Sweden. In 2026, the OpenID wallet authenticator will integrate with EU wallets and capture attributes that your APIs can receive.
Extensibility Points#
Authenticators are implemented with a plugin system that enables each action to use shared frontend and backend behaviors. The Authenticator Configuration page provides an overview and links to further information.
Authenticators can integrate with other key interfaces to enable you to compose user authentication behaviors in powerful ways. This capability can be critical when you onboard to the Curity Identity Server, and need to run old and new identity solutions side-by-side.
Credential Managers
An authenticator uses a credential manager to verify password credentials. Custom credential managers can enable migrations to the Curity Identity Server without password changes.
Account Managers
An authenticator can use an account manager to operate on attributes of user accounts. For example, the HTML Forms authenticator uses an account manager in its self-signup screen.
Data Sources
Authenticators, credential managers and account managers can integrate with data sources. You can use various SQL or NoSQL data sources or even use a REST API to adapt bespoke data sources.
Authentication Actions
You can link authenticators to authentication actions to integrate any custom data, logic or presentation into authentication flows. For example, an action can present a form that prompts the user to accept legal terms.
Custom Authenticators
You can develop a custom authenticator that uses frontend components and backend HTTP endpoints. For example, a plugin could integrate with legacy identity systems or use a third-party SDK to scan passport information.
Representations#
Authenticators can use multiple frontend representations. By default, authenticators use HTML forms and render in the browser. Applications can use the Hypermedia Authentication API (HAAPI) to implement API-driven login flows. Authenticators then return JSON form representations rather than HTML form representations. HAAPI avoids redirecting users during logins and is often used to enable a Pure Native Mobile Login User Experience.
Learn by Use Case#
The Curity website provides many learning resources where you can learn more about authenticator use cases:
Curity Online Training#
The best way to learn about authenticators is to implement flows that use them. The Administrator Training Courses walk you through a number of authentication flows to explain how to use various mainstream authenticators.