1. Home
  2. CTAP

    Client To Authenticator Protocol (CTAP) - FIDO2 Developer Guide

    Learn how to integrate FIDO2 security keys using the Client To Authenticator Protocol (CTAP). This comprehensive guide covers CTAP versions, implementation strategies, and practical examples for building secure, passwordless authentication systems.

    Client To Authenticator Protocol (CTAP)

    FIDO2 consists of two standardized components: a web API (WebAuthn) and a protocol for clients to communicate with authenticators, the Client To Authenticator Protocol (CTAP). The client can be a platform (an Operating System such as Microsoft Windows), a browser (such as Google Chrome), or an application (such as an SSH client).

    CTAP clients can use different transports to communicate with an authenticator. When the authenticator is a FIDO security key, USB, NFC, or Bluetooth is typically used.

    The difference between WebAuthn and CTAP is illustrated in the figure below.

    FIDO2 Architecture showing WebAuthn API and CTAP protocol layers
    Note
    		 Web developers will typically never need to use CTAP directly. Instead, they will use the WebAuthn API that is supported by all major browsers. See our WebAuthn and Passkeys for guidance on implementing FIDO authentication for web applications.

    What’s New: CTAP 2.3 and CTAP 2.2

    CTAP 2.3 (published February 2026) is the current version of the protocol and the basis for all FIDO2 certifications. It is backwards-compatible with CTAP 2.2—no breaking changes were introduced. The features below span both versions.

    Challenge CTAP 2.2 Solution Why It Matters

    Users tired of repeated PIN prompts

    Persistent PIN/UV Auth Tokens (PPUATs)

    Allows applications to reuse PIN/UV authentication for credential discovery without re-prompting, creating a smoother user experience.

    Enterprises need stronger PIN rules

    PIN Complexity Policies

    Enforce longer or more complex PINs at the hardware level to meet compliance requirements like NIST SP 800-63B.

    Expanding passwordless to regulated payments

    thirdPartyPayment Extension

    Enables Secure Payment Confirmation (SPC) across domains, critical for standards like PSD2 and card network compliance.

    Richer, safer credential lifecycle management

    Persistent Credential Management – Read-only (pcmr) permission

    Lets applications query stored credentials with more detail for auditing or UI improvements, without granting destructive permissions.

    Applications needing per-service secrets

    hmac-secret-mc / PRF

    Provides scoped secrets tied to credentials during creation, useful for secure local storage or encrypted app data.

    Enabling advanced cryptographic use cases

    ARKG/Raw Signing extensions

    Allows signing of arbitrary data, turning the key into a hardware root of trust for new applications like digital wallets.

    Richer authenticator metadata

    New getInfo properties

    Applications can query authenticator capabilities like UV counters, attestation formats, and max PIN length to adapt their UX dynamically.

    Learn More About CTAP Versions

    To help you build your application, we have created detailed guides for each major version of the CTAP specification.

    • CTAP 2.3

      Covers the refinements introduced in CTAP 2.3: BLE hybrid transport channel, pinComplexityPolicyURL for improved PIN rejection UX, long touch for reset, and protocol clarifications. All FIDO2 certifications are now issued against CTAP 2.3.

    • CTAP 2.2

      Comprehensive guide to CTAP 2.2 features: Persistent PIN/UV Auth Tokens (PPUAT), PIN complexity policies, thirdPartyPayment, hmac-secret-mc, hybrid transport, and richer authenticator metadata. Includes SDK support status across Yubico’s developer tools.

    • CTAP 2.1

      Technical reference for CTAP 2.1 features and extensions, including enterprise attestation, credential management, alwaysUv, minimum PIN length, and HMAC secret. Includes command-line examples using fido2-token.

    CTAP Versions Explained

    The CTAP specification refers to two protocol versions: CTAP1 and CTAP2.

    • CTAP1 refers to the FIDO U2F protocol. CTAP1 can only be used as a second factor, i.e., it does not support user verification using a PIN or a biometric.

    • CTAP2 supports user verification and is a much more versatile protocol. An authenticator that implements CTAP2 is called a FIDO2 authenticator. If that authenticator also implements CTAP1/U2F, it is backward compatible with U2F.

    CTAP2 also has different sub-versions, similar to WebAuthn levels. Authenticators can report the CTAP2 version they support using version identifiers, like FIDO_2_0, FIDO_2_1_PRE, or FIDO_2_1.

    Developing FIDO-Aware Applications

    With CTAP, there are different options for developers to leverage FIDO authenticators to secure their applications:

    1. Use the WebAuthn API, if the application is a web application where the client is a web browser.

    2. Use a platform API, if the application is a Desktop or Mobile application running on a platform that offers such an API. An example is the WebAuthn API on Microsoft Windows (webauthn.dll).

    3. Use a library that implements the CTAP protocol, if the application is a Desktop or Mobile application and a platform API is not available or not suitable.

    Yubico offers several libraries and SDKs for developers. For a complete list, please see our Software Projects.