What is CTAP?
Developed by the FIDO Alliance, the Client to Authenticator Protocol enables communication between an external authenticator (i.e. mobile phones, connected devices) and another client (e.g. browser) or platform (re: operating system).
How does CTAP work?
FIDO2 consists of two standardized components, a web API (WebAuthn) and a version 2 of CTAP. The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F (Link to FIDO U2F Glossary) protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications.
What’s the difference between CTAP1 and CTAP2?
FIDO CTAP1 enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform (such as a computer). The CTAP specification refers to two protocol versions, the CTAP1/U2F protocol and the CTAP2 . CTAP1 is a new name for FIDO U2F.
FIDO CTAP2 is responsible for the external factor, like a security key (link to security key page in glossary), communicating with the website or account using the authenticator. An authenticator that implements CTAP2 is called a FIDO2 authenticator (also called a WebAuthn authenticator). If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F.
How can you use CTAP?
Strong single or multi-factor authentication using a hardware authenticator, eliminates the need for weak password-based authentication.
Two Factor Authentication
Strong two factor authentication using a hardware authenticator as an extra layer of protection beyond a password.
Strong multi-factor authentication using a hardware authenticator and a PIN or biometric, to meet high assurance requirements such as needed for financial transactions and ordering a prescription.
- 10 things you’ve been wondering about FIDO 2 Webauthn and a passwordless world
- FIDO2 Authentication Standards