CTAP 2.3 is an incremental, backwards-compatible update to CTAP 2.2. It extends hybrid transport with a BLE channel, updates the long touch for reset timeout, and clarifies several protocol edge cases including smart-card interface handling and ISO 7816 user-presence semantics.
|
Note
|
WebAuthn and Browser Support: While CTAP 2.3 features are available at the protocol level, WebAuthn applications depend on browser support for these capabilities. Consult our WebAuthn Browser Support page before implementation. |
The FIDO Alliance published CTAP 2.3 on February 26, 2026. It introduces no breaking changes: any CTAP 2.2-conformant implementation is automatically conformant to CTAP 2.3.
Because no breaking changes were introduced, the Alliance did not create a separate certification category for CTAP 2.2. All FIDO2 authenticator certifications are issued against CTAP 2.3. There is no FIDO_2_2 version string in authenticatorGetInfo; a device advertising CTAP 2.3 support reports FIDO_2_3.
This means:
Existing CTAP 2.2 implementations do not need protocol changes to be CTAP 2.3 conformant.
New CTAP 2.3 features are additive—platforms and authenticators signal support via authenticatorGetInfo as always.
For context on the features CTAP 2.2 introduced, see the CTAP 2.2 guide.
| Feature | Description | Developer Benefit |
|---|---|---|
BLE Data Transfer Channel for Hybrid (New in 2.3) |
QR-initiated hybrid transactions can now specify Bluetooth Low Energy as the data transfer channel, in addition to the WebSocket channel supported since CTAP 2.2. |
Enables cross-device authentication in constrained or offline network environments where WebSocket connections to relay servers may be blocked. |
|
The value |
Platforms can reliably detect CTAP 2.3 support and gate features accordingly. |
Long Touch for Reset (Introduced in 2.2; updated in 2.3) |
Authenticators can advertise via |
Platforms can display accurate reset instructions without guessing device-specific UX, preventing failed resets from insufficient touch duration. |
|
|
Authenticators accessed via ISO 7816 contact readers can correctly advertise their interface type, improving interoperability with enterprise credential management systems. |
FIDO Applet Explicit Selection Required (New in 2.3) |
Authenticators are prohibited from allowing FIDO Applets to be implicitly selected or enabled. Explicit applet selection is required. |
Hardens the security boundary around FIDO operations in multi-application smart-card scenarios, reducing the risk of unintended applet activation. |
|
Authenticators SHOULD support |
Guarantees every CTAP 2.3 authenticator has a defined reset path, even if it is not via the CTAP reset command directly. |
|
|
Broadens the applicability of minimum PIN length policies to authenticators with integrated PIN input mechanisms. |
ISO 7816 (Contact + NFC) Clarification (Clarified in 2.3) |
The NFC evidence-of-user-interaction model is generalized to cover both NFC and ISO 7816 contact interfaces. Terminology updated and timeout behaviors for |
Eliminates ambiguity for authenticators that support both contact and contactless interfaces, ensuring consistent user-presence semantics across physical interface types. |
|
Spec
|
QR-initiated hybrid transactions can now negotiate a Bluetooth Low Energy channel as an alternative to the WebSocket channel defined in CTAP 2.2. |
|
Use Case
|
Environments with restricted internet access, air-gapped networks, or scenarios requiring low-latency local radio communication. |
|
Yubico Support
|
Not applicable to roaming security keys—hybrid transport is implemented by platform authenticators and clients. |
CTAP 2.2 specified WebSocket-based encrypted tunnels as the data transfer mechanism for QR-initiated hybrid authentication. CTAP 2.3 extends this by adding BLE as a negotiable alternative. The QR code payload specifies which channel the Credential Provider Hosting Device supports, and the client selects accordingly.
This matters for enterprise deployments with strict network egress filtering, where WebSocket connections to FIDO relay servers may be blocked. A BLE channel allows cross-device authentication entirely over local radio, with no internet connectivity required for the data transfer phase.
|
Note
|
Platform and OS support required: BLE hybrid transport requires coordinated support in both the initiating platform (desktop OS/browser) and the device providing the platform authenticator (phone). Check platform release notes for availability. |
|
Spec
|
|
|
Use Case
|
Platform feature detection for CTAP 2.3-specific behaviors. |
When a platform needs to gate a CTAP 2.3-only feature—such as BLE hybrid channels or longTouchForReset`—it checks for `FIDO_2_3 in the authenticatorGetInfo versions array.
There is a gap in version string granularity: no single version string distinguishes CTAP 2.2-only from CTAP 2.3. For CTAP 2.2 features specifically, platforms should use field-level feature detection via the relevant authenticatorGetInfo fields rather than relying on version strings.
|
Spec
|
An authenticator can advertise via |
|
Use Case
|
Enterprise deployments where accidental resets are a concern; any device that uses sustained touch to differentiate reset from normal operation. |
|
Yubico Support
|
Check Yubico release notes for firmware and SDK availability. |
Before CTAP 2.2, platforms had no standard way to know whether a device’s reset ceremony required a brief touch or a sustained one. This caused UX confusion—users who didn’t hold long enough would fail the reset without a clear explanation.
With CTAP 2.2, an authenticator that requires a long touch sets longTouchForReset: true in authenticatorGetInfo. CTAP 2.3 updates the required hold duration from 10 seconds to 5 seconds. Platforms should check this field before presenting reset instructions and adjust the UI accordingly.
|
Spec
|
|
|
Use Case
|
Authenticators with an ISO 7816 contact smart-card form factor in enterprise deployments. |
|
Yubico Support
|
Applicable to Yubico authenticators accessed via the ISO 7816 contact interface. |
Prior to CTAP 2.3, the recognized transport/interface values were usb, nfc, ble, and internal. Authenticators with an ISO 7816 contact smart-card form factor had no dedicated value to advertise that interface.
Adding smart-card allows such authenticators to correctly report their interface type in authenticatorGetInfo.
|
Spec
|
Authenticators are prohibited from allowing FIDO Applets to be implicitly selected or enabled. |
|
Use Case
|
Multi-application smart-card environments where FIDO and PIV or other applets coexist on the same device. |
In multi-applet environments—such as YubiKey, which supports FIDO2, PIV, OpenPGP, and OTP simultaneously—there was previously no normative requirement preventing a FIDO Applet from being activated without an explicit selection command. CTAP 2.3 normatively prohibits implicit selection, ensuring that FIDO operations can only begin after the platform has explicitly selected the FIDO Applet.
|
Spec
|
|
|
Use Case
|
Enterprise device lifecycle management; security key recovery scenarios. |
This clarification ensures that every CTAP 2.3 authenticator provides a defined reset path. Platforms building device management workflows can assume a reset path exists, even if it is not via the CTAP authenticatorReset command.
Because CTAP 2.3 introduced no breaking changes, platforms should use field-level feature detection rather than relying solely on version strings.
| Feature to detect | authenticatorGetInfo field to check |
|---|---|
CTAP 2.3 advertised |
|
PIN Complexity is active |
|
PIN Complexity policy URL available (CTAP 2.2+) |
|
Long Touch for Reset required |
|
PPUAT (persistent read-only token) |
|
Minimum PIN length |
|
Maximum PIN length |
|
| SDK | CTAP 2.3 Support | Notes |
|---|---|---|
yubikit-android |
✅ v3.0.0+ |
Full CTAP 2.3 support. Actively maintained. |
Yubico.NET SDK |
✅ In progress |
Check What’s New in the SDK for current CTAP 2.3 feature coverage. |
python-fido2 |
✅ v2.0.0+ |
CTAP 2.3 feature coverage follows FIDO Alliance spec additions. Check python-fido2 release notes for specific feature availability. |
libfido2 / fido2-token |
✅ Full Support (v1.17.0+) |
v1.17.0+ supports most CTAP 2.3 features listed above. Check the libfido2 release notes for specific feature coverage. |
yubikit-swift |
⚠️ In development |
Modern Swift SDK for iOS/macOS. CTAP 2.3 feature support under development. |
yubikit-ios (Objective-C) |
❌ Not planned |
Legacy SDK. Migrate to yubikit-swift for new projects. |