Home

WebAuthnCTAP

WebAuthnCTAP refers to the protocol stack that enables WebAuthn authentication by defining how a web client communicates with an external authenticator. It combines the WebAuthn API, defined by the W3C and FIDO2, with the Client-to-Authenticator Protocol (CTAP), which governs the exchange between the client (browser or operating system) and the authenticator. CTAP has two generations: CTAP1, rooted in the U2F protocol, and CTAP2, which supports the full WebAuthn feature set, including credential creation, user verification, and attestation.

CTAP1 provides basic authentication capabilities via USB HID and older transports; CTAP2 extends this to support

Transport and devices: CTAP messages are carried over USB, USB-C, NFC, BLE, or built-in (platform) transports.

multiple
credentials,
discovery,
attestation,
and
flexible
transport
options.
When
a
user
registers
a
new
credential,
the
WebAuthn
API
constructs
a
makeCredential
request
and
passes
it
to
the
CTAP
layer,
which
forwards
CBOR-encoded
messages
to
the
authenticator.
The
authenticator
creates
a
new
key
pair,
optionally
performs
user
verification,
and
returns
an
attestation
object
along
with
the
public
key.
During
authentication,
a
getAssertion
request
is
issued;
the
authenticator
signs
a
challenge
with
the
private
key
and
returns
an
assertion.
The
actual
transport
depends
on
the
authenticator
and
the
client
device.
Security
considerations:
CTAP
authenticators
use
device-bound
keys;
WebAuthn
CTAP
enables
phishing-resistant
authentication
because
assertions
are
tied
to
the
Relying
Party's
origin.
Attestation
may
be
restricted
by
privacy
controls.