CTAP 2.2 delivers powerful new capabilities for enterprise deployments and improved user experiences. This technical guide covers persistent PIN tokens, payment authentication, and other protocol enhancements—along with SDK support status across Yubico’s developer tools.
The Client to Authenticator Protocol (CTAP) defines how authenticators communicate with clients for FIDO2 authentication. CTAP 2.2 strengthens the protocol with features that address enterprise deployment requirements and expand authentication options across the FIDO ecosystem.
For roaming authenticators like YubiKeys, this release delivers capabilities that reduce friction in enterprise workflows: persistent PIN/UV auth tokens eliminate repeated prompts during credential enumeration, PIN complexity policies enforce compliance requirements at the hardware level, and the thirdPartyPayment extension enables cross-domain authentication for regulated payment transactions.
CTAP 2.2 also formalizes hybrid transport, a protocol mechanism for cross-device authentication using QR codes and proximity pairing. This allows a platform authenticator on a phone to authenticate sessions on other devices like desktops—useful for everyday scenarios where convenience matters more than the highest assurance levels. Hybrid flows can create device-bound credentials (hardware-bound, like YubiKeys) or multi-device credentials (syncable across a user’s devices). For scenarios requiring attestation and non-exportable keys, hardware security keys remain the appropriate authenticator choice.
This guide covers CTAP 2.2 features from an implementation perspective, with specific guidance for Yubico SDKs. Many features operate at the native application layer—check our browser support matrix for WebAuthn API availability.
|
Note
|
WebAuthn and Browser Support: While CTAP 2.2 features are available at the protocol level, WebAuthn applications depend on browser support for these capabilities. Not all CTAP 2.2 features are exposed through the WebAuthn JavaScript API, and browser implementations vary. For web developers, consult our WebAuthn Browser Support page to verify which features your target browsers support before implementation. |
CTAP 2.2 introduces new protocol capabilities and expands features established in CTAP 2.1. The table below highlights major changes, organized by relevance to roaming authenticators like YubiKeys.
| Feature | Description | Developer Benefit |
|---|---|---|
Persistent PIN/UV Auth Tokens (PPUAT) |
Long-lived tokens scoped to read-only credential management operations, eliminating repeated PIN prompts when enumerating stored credentials. |
Dramatically improves UX in enterprise SSO portals and password managers. Reduces authentication fatigue in multi-step workflows where users enumerate credentials across relying parties. |
PIN Complexity Policies |
Hardware-enforced PIN requirements including character set constraints, expanding CTAP 2.1’s minimum PIN length enforcement to full complexity policies. |
Meets enterprise compliance requirements (NIST SP 800-63B) at the authenticator level. Security policies cannot be circumvented by clients. |
thirdPartyPayment Extension |
Allows a credential to be asserted in a context where the transaction initiator (e.g., a merchant) differs from the relying party that created the credential (e.g., a bank), without requiring redirects. |
Critical for payment industry compliance with PSD2 Strong Customer Authentication. Enables standardized, phishing-resistant payment flows required by card networks and regulators. |
HMAC Secret MakeCredential (hmac-secret-mc) |
Extends the existing hmac-secret extension to also support secret derivation during credential creation (MakeCredential). The original hmac-secret extension for GetAssertion continues to function unchanged. |
Enables immediate encryption of local data with hardware-backed secrets at registration time. Critical for password managers, encrypted vaults, and offline workstation scenarios that need a secret before first authentication. |
Hybrid Transport |
Cross-device authentication protocol using QR code initiation and proximity-based pairing (BLE + network tunnel). Enables a platform authenticator on one device to authenticate sessions on another. |
Expands FIDO adoption for consumer applications where convenience is prioritized. Developers can implement passwordless experiences that leverage users' existing devices. |
JSON-Based Messaging |
Optional JSON encoding for specific CTAP commands, supplementing the existing CBOR format. Primarily used in browser-mediated credential management contexts. |
Simplifies integration for web-based credential management UIs. JavaScript applications can parse authenticator responses without CBOR decoding in certain scenarios. |
Enhanced Authenticator Metadata (getInfo) |
Richer self-description capabilities including UV counters, supported attestation formats, PIN complexity policy details, and maximum PIN length. |
Enables adaptive client behavior. Applications can dynamically adjust UI and validation logic based on authenticator capabilities without trial-and-error probing. |
|
Note
|
Protocol Capabilities vs Device Support: This table reflects CTAP 2.2 protocol features. Individual authenticator implementations vary—check YubiKey firmware documentation and SDK support matrices for specific device capabilities. |
|
Spec
|
Allows long-lived tokens for read-only credential management operations without repeated PIN entry. |
|
Use Case
|
Enterprise SSO portals where users browse multiple apps in one session. |
|
Yubico Support
|
Available in Yubico.NET SDK v1.14.0+, yubikit-android v2.9.0+, and python-fido2 v2.0.0+. |
When an application needs to enumerate stored credentials—for example to list available passkeys across relying parties—CTAP 2.1 required re-entering the PIN for each discovery operation. PPUATs allow the authenticator to issue a longer-lived token scoped specifically to read-only credential management operations (enumerateRPs, enumerateCredentials, getCredentialMetadata), dramatically improving the experience in enterprise portals and password managers. PPUATs do not grant assertion or credential creation permissions.
|
Caution
|
Browser Limitation: PPUATs are a protocol-level feature not currently exposed through WebAuthn APIs. This feature is primarily useful for native applications that communicate directly with authenticators via CTAP. |
|
Spec
|
Authenticators can enforce PIN rules beyond minimum length, including character set requirements. |
|
Use Case
|
Enterprises subject to NIST SP 800-63B or similar requirements. |
|
Yubico Support
|
Available in Yubico.NET SDK v1.14.0+, libfido2, and python-fido2 v2.0.0+. |
CTAP 2.1 introduced minimum PIN length enforcement. CTAP 2.2 expands this to full complexity policies, allowing authenticators to require not only longer PINs but also specific character set requirements. Enforcement happens at the hardware level, so security policies cannot be bypassed by a non-compliant client.
|
Spec
|
Enables assertion of a credential where the transaction initiator differs from the credential’s relying party. |
|
Use Case
|
Payment providers integrating PSD2 SCA via Secure Payment Confirmation (SPC). |
|
Yubico Support
|
Available in Yubico.NET SDK v1.14.0+, yubikit-android v2.9.0+, and python-fido2 v2.0.0+. |
The thirdPartyPayment extension allows a credential registered at one origin (e.g., a bank) to be used for authentication in a context where a different party initiates the transaction (e.g., a merchant checkout). This is the protocol primitive that makes Secure Payment Confirmation possible under PSD2. Note that most of the SPC-specific processing must be handled by a compliant browser or client—this extension alone is not sufficient to implement a complete SPC flow.
|
Note
|
Browser Support Required: Secure Payment Confirmation requires coordinated browser support. Check our browser support matrix before implementing SPC workflows, as browser adoption is still evolving. |
|
Spec
|
Adds secret derivation support to the MakeCredential operation, complementing the existing hmac-secret extension for GetAssertion. |
|
Use Case
|
Applications needing a per-credential secret immediately at registration—for example, password managers encrypting vaults or offline workstation access systems. |
|
Yubico Support
|
Available in Yubico.NET SDK v1.14.0+, yubikit-android v2.9.0+, and python-fido2 v2.0.0+. |
The hmac-secret extension has existed since CTAP 2.1 and returns a credential-specific secret during GetAssertion. The hmac-secret-mc extension adds the ability to retrieve that secret during MakeCredential as well, enabling applications to immediately encrypt data with a hardware-backed secret without requiring the user to perform a separate authentication step first.
|
Note
|
Relationship to WebAuthn PRF: The WebAuthn PRF extension maps to the hmac-secret extension at the CTAP level for GetAssertion flows. PRF also gained MakeCredential support (via For comprehensive implementation guidance, see our PRF extension documentation: |
|
Spec
|
Cross-device authentication protocol using QR codes and BLE proximity pairing. |
|
Use Case
|
Enables FIDO authentication on devices without built-in authenticators by leveraging a phone’s platform authenticator. |
|
Yubico Support
|
Not applicable—hybrid transport is implemented by platform authenticators and clients, not roaming security keys. |
Hybrid transport allows a platform authenticator on a phone to complete authentication for sessions on other devices like desktops. The user scans a QR code displayed on the desktop, and the phone establishes a secure connection via BLE and an encrypted tunnel to complete the FIDO ceremony.
|
Note
|
Implementation Note: Browsers and operating systems handle hybrid transport. Application developers design flows that support both roaming authenticators and cross-device authentication, depending on user hardware availability. |
|
Spec
|
Optional JSON encoding for credential management commands, supplementing CBOR. |
|
Use Case
|
Browser credential management UIs. |
|
Yubico Support
|
Transparent to SDK usage—Yubico SDKs use CBOR when communicating with YubiKeys. |
CTAP 2.2 allows JSON encoding for specific credential management operations. This simplifies browser implementations that would otherwise need CBOR decoding in JavaScript. The core protocol continues using CBOR.
|
Spec
|
Richer authenticator self-description including PIN complexity policies, attestation formats, UV counters, and more. |
|
Use Case
|
Applications that adapt their behavior based on authenticator capabilities—for example, adjusting PIN requirements or choosing attestation verification strategies. |
|
Yubico Support
|
Available in Yubico.NET SDK v1.14.0+, yubikit-android v2.9.0+, python-fido2 v2.0.0+, and exposed via libfido2/fido2-token. |
CTAP 2.2 expands the authenticatorGetInfo response with fields like uvCountSinceLastPinEntry, attestationFormats, pinComplexityPolicy, and maxPinLength. These metadata fields enable smarter application behavior without trial-and-error probing of authenticator capabilities.
| SDK | CTAP 2.2 Support | Notes |
|---|---|---|
python-fido2 |
✅ Full Support |
v2.0.0+ supports PPUAT, hmac-secret-mc, thirdPartyPayment, and expanded getInfo fields. Note: thirdPartyPayment is not included in the default extensions list and requires a client that supports the WebAuthn payment extension. |
Yubico.NET SDK |
✅ Extensive Support |
v1.14.0+ supports PPUAT, PIN complexity policies, thirdPartyPayment, hmac-secret-mc, and expanded getInfo properties. |
yubikit-android |
✅ Good Support |
v2.9.0+ supports PPUAT, hmac-secret-mc, thirdPartyPayment, and expanded getInfo members. v3.0.0+ additionally supports CTAP 2.3. Actively maintained. |
libfido2 / fido2-token |
⚠️ Limited |
C library and command-line tools. Check the libfido2 release notes for current CTAP 2.2 feature coverage. |
yubikit-swift |
⚠️ Limited |
Modern Swift SDK for iOS/macOS. CTAP 2.2 feature support under development. |
yubikit-ios (Objective-C) |
⚠️ Limited |
Legacy Objective-C SDK. Missing most CTAP 2.2 features. Consider yubikit-swift for new projects. |
|
Note
|
Feature Coverage: Hybrid transport and JSON messaging are handled by browsers and operating systems, not SDK implementations. |
Have questions about implementing CTAP 2.2 features? Visit our Support Portal or join the conversation in our GitHub repositories.