The Client to Authenticator Protocol (CTAP) is a standardized protocol developed by the FIDO Alliance that enables secure communication between a client device (such as a browser, operating system, or application) and an external authenticator (like a hardware security key, smartphone, or biometric device) over channels such as USB, NFC, or Bluetooth Low Energy (BLE).
CTAP is a core component of the FIDO2 project, working alongside the Web Authentication (WebAuthn) standard from the W3C. While WebAuthn defines how web applications interact with browsers for authentication, CTAP specifies how the browser or platform communicates with the authenticator itself.
CTAP Versions
- CTAP1 (formerly known as FIDO U2F): Supports second-factor authentication using devices like security keys, primarily for two-factor authentication (2FA).
- CTAP2: Extends capabilities to enable passwordless, second-factor, or multi-factor authentication, supporting features like resident keys and biometrics.
How CTAP Works
- The client (browser, OS, or app) establishes a connection with the authenticator (e.g., security key or smartphone).
- The client queries the authenticator for its capabilities.
- The client sends authentication or registration commands to the authenticator.
- The authenticator processes the request and responds with the appropriate data or an error message.
Synonyms:
CTAP