Client To Authenticator Protocol (CTAP)

FIDO2 consists of two standardized components, a web API (WebAuthn) and a protocol for clients to communicate with authenticators: the Client To Authenticator Protocol (CTAP). The client can be a platform (an Operating System such as Microsoft Windows), a browser (such as Google Chrome), or an application (such as an SSH client).

CTAP clients can use different transports to communicate with an authenticator. When the authenticator is a FIDO security key, USB or NFC is typically used.

The difference between WebAuthn and CTAP is illustrated in the figure below.

fido2_building_blocks.png

Note that web developers will never need to use CTAP. Instead, they will use the WebAuthn API that is supported by all major browsers. See our WebAuthn documentation for guidance on implementing FIDO authentication for web applications.

The current version of the Client To Authenticator Protocol is CTAP 2.1.

Developing applications supporting FIDO

With CTAP, there are now different options for developers to leverage FIDO authenticators to secure their applications:

  1. Use the WebAuthn API, if the application is a web application. That is, the client is a web browser.

  2. Use a platform API, if the application is a Desktop or Mobile application running on a platform that offers such an API. An Example is the WebAuthn API on Microsoft Windows (webauthn.dll).

  3. Use a library that implements the CTAP protocol, if the application is a Desktop or Mobile application and a platform API is not available or not suitable.

Yubico offers several CTAP libraries for developers:

The libfido2 library comes with some command-line tools. We will be using the fido2-token tool in this section to illustrate some of the CTAP features. See also its manual page.

Many third-party libraries provide bindings of libfido2 for other programming languages.

Note that when working with YubiKeys or the FIDO Security Key by Yubico, there are also these SDKs available to integrate with:

CTAP versions

The CTAP specification refers to two protocol versions: CTAP1 and CTAP2 . CTAP1 is a new name for FIDO U2F. CTAP1 can only be used as a second factor, i.e. it does not support user verification using a PIN or a biometric. CTAP2 does support user verification and is a much more versatile protocol.

An authenticator that implements CTAP2 is called a FIDO2 authenticator. If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F.

CTAP2 also has different sub-versions, similar to WebAuthn levels. Authenticators can report the CTAP2 version they support using version identifiers, like FIDO_2_0, FIDO_2_1_PRE, or FIDO_2_1. FIDO2 authenticators that also support U2F (i.e. CTAP1), will report U2F_V2 as a supported version.

For instance: when retrieving information from a FIDO2 security key (on a linux system where it is assigned USB HID device file /dev/hidraw0):

fido2-token -I /dev/hidraw0
...
version strings: FIDO_2_0, FIDO_2_1_PRE, FIDO_2_1
...

Note that on macOS, the device is typically referred to with something that looks like ioreg://1234567890.

To find the list of FIDO security keys available, use:

fido2-token -L
ioreg://4295201353: vendor=0x1050, product=0x0406 (Yubico YubiKey FIDO+CCID)
ioreg://4295266735: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)

CTAP Authenticator API commands

CTAP defines a number of Authenticator API commands that can be used to communicate with an Authenticator. They are typically invoked from a FIDO library, or through the WebAuthn API when using a browser. Indeed, the WebAuthn navigator.credentials.create() and navigator.credentials.get() API methods translate to the CTAP authenticatorMakeCredential and authenticatorGetAssertion commands, respectively.

To use these CTAP API command from the command-line, have a look at the fido2-cred and fido2-assert tools that are part of libfido2.

There are also API commands that cannot be invoked directly through the WebAuthn API, for instance for setting or changing PINs, enrolling a biometric, or managing credentials.

For a full list of CTAP Authenticator API commands, see the CTAP 2.1 specification

CTAP Features

CTAP defines several optional features that can be implemented on Authenticators, depending on the CTAP version implemented.

Clients can request an authenticator to report a list of its supported protocol versions and other information using the authenticatorGetInfo API command.

The fido2-token tool can be used to invoke this command from the command-line:

fido2-token -I /dev/hidraw0
proto: 0x02
major: 0x05
minor: 0x07
build: 0x00
caps: 0x05 (wink, cbor, msg)
version strings: FIDO_2_0, FIDO_2_1_PRE, FIDO_2_1
extension strings: credProtect, hmac-secret, largeBlobKey, credBlob, minPinLength
transport strings: nfc, usb
algorithms: es256 (public-key), eddsa (public-key), es384 (public-key)
aaguid: f8a011f38c0a4d15800617111f9edc7d
options: rk, up, noplat, alwaysUv, credMgmt, authnrCfg, clientPin, largeBlobs, pinUvAuthToken, setMinPINLength, nomakeCredUvNotRqd, credentialMgmtPreview
fwversion: 0x50700
maxmsgsiz: 1280
maxcredcntlst: 8
maxcredlen: 128
maxlargeblob: 4096
maxrpids in minpinlen: 1
remaining rk(s): 98
minpinlen: 4
pin protocols: 2, 1
pin retries: 8
pin change required: false
uv retries: undefined

The meaning of some of this command’s output is explained below and on its manual page.

Credential Management

Credential management is used to manage discoverable credentials on the authenticator. This feature is important, as without it there is no way to delete credentials that are stored on an authenticator, other than resetting the authenticator (and deleting all credentials instead of a specific one). Hardware security keys typically have limited storage for discoverable credentials (for instance 100 on a YubiKey with firmware 5.7), so it can be very useful to delete credentials that are no longer being used.

Credential Management also allows for enumeration of credentials, the retrieval of credential metadata and updating credential user information.

The YubiKey and the FIDO Security Key by Yubico support credential management since firmware version 5.2.

The fido2-token tool can be used for performing credential management from the command-line.

For instance, to list discoverable credentials stored on a device:

fido2-token -L -r $DEV
Enter PIN: ******
00: 4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb8= ssh:
01: 5Yaf4EYzO6ALp/K7s+p+BQLPSCYVYcKLZptoXwxqQzs= passkey.org

To delete a discoverable credential, use the -D option and specify its (base64-encoded) credential ID with -i:

fido2-token -D -i VGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUsIG5vdCBhbiBhY3R1YWwgY3JlZCBJRDop /dev/hidraw0
Enter PIN: ******

Enterprise Attestation

Enterprise Attestation (EA) was added in CTAP version 2.1 and WebAuthn L2. As suggested by its name, it is intended for use within enterprises to uniquely identify an authenticator, something that is explicitly made infeasible with normal attestation to preserve user privacy. In an enterprise scenario, EA can be used for asset tracking or to aid in account recovery flows by allowing an end user to prove they have a specific FIDO2 authenticator. It requires an authenticator that is specifically configured for use within a particular enterprise, so it will not be generally available on authenticators.

The YubiKey and the FIDO Security Key by Yubico support enterprise attestation since firmware version 5.7, but only on custom configured keys. It will allow Relying Parties to read the serial number (or another organization-specified unique identifier) from the YubiKey during FIDO2 registration.

Enterprise attestation can be enabled on a device using:

fido2-token -S -a /dev/hidraw0
Enter PIN: ******

Always Require User Verification

This feature, called AlwaysUV, causes every FIDO2 registration or authentication event to require a PIN or biometric, regardless of the options set by the relying party or platform.

The current status for AlwaysUV can be retrieved using When using the fido2-token tool with the -I switch, the current status is listed under options as

  • alwaysUv, meaning AlwaysUV is enabled, or

  • noalwaysUv, meaning AlwaysUV is disabled.

The AlwaysUV feature can be enabled on a device using fido2-token -S -u or disabled using fido2-token -D -u.

Set Minimum PIN Length

Another feature that is intended for use in an enterprise or government environment is "Set Minimum PIN Length", which enforces a minimum PIN length policy for authenticators.

Minimum PIN Length allows Identity Providers to enforce the configured minimum PIN length during FIDO2 registration, to support self-enrollment processes. The minimum PIN length can only be configured by platforms, or by communicating to the YubiKey directly, and can only be enforced by identity providers or relying parties in an allowed list configured on the YubiKey.

To set a minimum PIN length for a device to 6:

fido2-token -S -l 6 /dev/hidraw0
Enter PIN: ******

To force a PIN change:

fido2-token -S -f /dev/hidraw0
Enter PIN: ******

The authenticator cannot be used before the PIN is changed. For instance, when listing discoverable credentials, an PIN violation occurs:

fido2-token -L -r /dev/hidraw0
Enter PIN for: ******
fido2-token: fido_credman_get_dev_rp: FIDO_ERR_PIN_POLICY_VIOLATION

To set a list of RP IDs allowed to retrieve the minimum PIN length, use the -S -m option:

fido2-token -S -m example.org,example.com /dev/hidraw0
Enter PIN: ******

See also the minimum PIN length extension below.

Extensions

FIDO authenticators may support optional extensions.

For a list of defined extensions, see the CTAP specification

The extensions supported by an authenticator can be retrieved using the authenticatorGetInfo API command.

The fido2-token tool can be used to invoke this command from the command-line, where the supported extensions are listed as extension strings. For instance:

fido2-token -I /dev/hidraw0
...
extension strings: credProtect, hmac-secret, largeBlobKey, credBlob, minPinLength
...

See below for what these extensions entail.

Credential Protection (credProtect)

The Credential Protection extension can be used to improve privacy in case an unauthorized user has access to an authenticator. It allows a Relying Party to set a credential protection policy at registration.

With the Credential Protection extension set, the associated FIDO2 credential can be flagged to not be exposed to any one without user verification It can neither be read nor used for authentication with the user asserting their identity.

Credential Blob (credBlob) and Large Blob Key (largeBlobKey)

The Large blob storage extension (largeBlob) allow a Relying Party to

Note that large blobs are also available from the WebAuthn API. See the WebAuthn Level 2 W3C Recommandation.

Note that on some browsers, the HMAC Secret extension is also available

To list all large blobs stored on an authenticator:

fido2-token -L -b /dev/hidraw0
Enter PIN for /dev/hidraw0: ********
total map size: 1219 bytes
00:  591  893 <unknown> <unknown>
01:  581  889 dhx715WNlF36vMvo5hV0SBOPfWqS1ncj2P2BgW2513a/rLvg64Tl4f0/uDrs1LsE example.org

To store the contents of file myfile as a large blob on an authenticator:

fido2-token -S -b -n example.org myfile /dev/hidraw0
Enter PIN for /dev/hidraw0: ********

To retrieve a large blob from an authenticator and store it in myfile:

fido2-token -G -b -n example.org myfile /dev/hidraw0
Enter PIN for /dev/hidraw0: ********

To delete a large blob associated with RP ID example.org from an authenticator:

fido2-token -D -b -n example.org /dev/hidraw0
Enter PIN for /dev/hidraw0: ********

An example use-case for largeBlobs is SSH, where an SSH certificate can be stored on an authenticator, together with is corresponding private key.

Minimum PIN Length Extension (minPinLength)

The Minimum PIN Length extension allows clients to retrieve the minimum PIN length for a specific RP ID. Which RP IDs are allowed to retrieve this information can be set.

HMAC Secret Extension (hmac-secret)

The HMAC Secret extension can be used by a client to retrieve a symmetric secret from the authenticator when it needs to encrypt or decrypt data.

The HMAC secrets extension is enabled on a create credential request, and the symmetric secret is scoped to the generated credential.

For an example of using the HMAC Secret extension using the python-fido2 Python library, see hmac_secret.py.

Note that on some browsers, the HMAC Secret extension is also available from the WebAuthn API, where it is known as the PRF extension. The WebAuthn PRF extension is specified in the forthcoming WebAuthn Level 3 draft.

FIDO CTAP support on YubiKeys

See the YubiKey Technical Manual for an overview of FIDO2 features and extensions available per firmware version