
Learn how to integrate FIDO2 security keys using the Client To Authenticator Protocol (CTAP). This comprehensive guide covers CTAP versions, implementation strategies, and practical examples for building secure, passwordless authentication systems.
FIDO2 consists of two standardized components: a web API (WebAuthn) and a protocol for clients to communicate with authenticators, the Client To Authenticator Protocol (CTAP). The client can be a platform (an Operating System such as Microsoft Windows), a browser (such as Google Chrome), or an application (such as an SSH client).
CTAP clients can use different transports to communicate with an authenticator. When the authenticator is a FIDO security key, USB, NFC, or Bluetooth is typically used.
The difference between WebAuthn and CTAP is illustrated in the figure below.
Note
|
Web developers will typically never need to use CTAP directly. Instead, they will use the WebAuthn API that is supported by all major browsers. See our WebAuthn and Passkeys for guidance on implementing FIDO authentication for web applications. |
The latest version of the protocol, CTAP 2.2, introduces significant enhancements for usability, enterprise security, and interoperability. These features address key developer and user challenges in the evolving passwordless ecosystem.
Challenge | CTAP 2.2 Solution | Why It Matters |
---|---|---|
Users tired of repeated PIN prompts |
Persistent PIN/UV Auth Tokens (PPUATs) |
Allows applications to reuse PIN/UV authentication for credential discovery without re-prompting, creating a smoother user experience. |
Enterprises need stronger PIN rules |
PIN Complexity Policies |
Enforce longer or more complex PINs at the hardware level to meet compliance requirements like NIST SP 800-63B. |
Expanding passwordless to regulated payments |
|
Enables Secure Payment Confirmation (SPC) across domains, critical for standards like PSD2 and card network compliance. |
Richer, safer credential lifecycle management |
Persistent Credential Management – Read-only ( |
Lets applications query stored credentials with more detail for auditing or UI improvements, without granting destructive permissions. |
Applications needing per-service secrets |
|
Provides scoped secrets tied to credentials during creation, useful for secure local storage or encrypted app data. |
Mitigating risk of unlocked, unattended authenticators |
Always-Require-User-Verification ( |
A configurable state that forces user verification (PIN/biometric) on all sensitive operations, critical for high-assurance environments. |
Enabling advanced cryptographic use cases |
ARKG/Raw Signing extensions |
Allows signing of arbitrary data, turning the key into a hardware root of trust for new applications like digital wallets. |
Enterprises managing multiple IdPs or test/prod environments |
Increased RPID storage for Enterprise Attestation (from 2 to 16) |
Simplifies deployment and management across complex corporate environments by allowing a single key to be attested for multiple services. |
Richer authenticator metadata |
New |
Applications can query authenticator capabilities like UV counters, attestation formats, and max PIN length to adapt their UX dynamically. |
To help you build your application, we have created detailed guides for each major version of the CTAP specification.
Our comprehensive guide to the latest standard. Explains new features in plain language, compares them to previous versions, and shows where Yubico’s SDKs and tools support them today.
A technical reference for the features and extensions introduced in CTAP 2.1, including enterprise attestation, credential management, and more.
The CTAP specification refers to two protocol versions: CTAP1 and CTAP2.
CTAP1 refers to the FIDO U2F protocol. CTAP1 can only be used as a second factor, i.e., it does not support user verification using a PIN or a biometric.
CTAP2 supports user verification and is a much more versatile protocol. An authenticator that implements CTAP2 is called a FIDO2 authenticator. If that authenticator also implements CTAP1/U2F, it is backward compatible with U2F.
CTAP2 also has different sub-versions, similar to WebAuthn levels. Authenticators can report the CTAP2 version they support using version identifiers, like FIDO_2_0
, FIDO_2_1_PRE
, or FIDO_2_1
.
With CTAP, there are different options for developers to leverage FIDO authenticators to secure their applications:
Use the WebAuthn API, if the application is a web application where the client is a web browser.
Use a platform API, if the application is a Desktop or Mobile application running on a platform that offers such an API. An example is the WebAuthn API on Microsoft Windows (webauthn.dll
).
Use a library that implements the CTAP protocol, if the application is a Desktop or Mobile application and a platform API is not available or not suitable.
Yubico offers several libraries and SDKs for developers. For a complete list, please see our Software Projects.
For building a web application using WebAuthn, there is java-webauthn-server, and python-fido2.
For building Desktop applications, there are libfido2 (for C), and python-fido2.
For mobile development, see our yubikit-ios, yubikit-android.
For .NET development, see our Yubico .NET SDK.