A working method includes: a client receives and parses an authentication request to obtain an application identifier, an authentication policy and a challenge value; generates a signature key identifier list according to the authentication policy; sends an identity information verifying instruction generated according to the challenge value, the application identifier and the signature key identifier list; an authenticator obtains a signature private key and a signature key identifier according to the signature key identifier list and the application identifier; generates a final challenge hash value according to the application identifier and the challenge value; generates a signature value according to the final challenge hash value, the preset authenticator identifier and the signature key identifier; sends the signature value to a server; the server receives the signature value and verifies the signature value, determines whether the verifying is successful, if yes, the verifying is successful; otherwise, the verifying is failed.