The Client to Authenticator Protocols (CTAP1, CTAP2) are FIDO Alliance specifications describing how an application (i.e. browser) and operating system establish communications with a compliant authentication device. CTAP complements the W3C’s WebAuthn Protocol, and together these protocols can enable two-factor authentication (2FA), multi-factor authentication (MFA), or fully passwordless authentication.
Jointly the FIDO CTAP protocols and the W3C’s WebAuthn comprise FIDO2, which succeeds the alliance’s U2F and UAF specifications. FIDO2 supports passwordless, 2FA, and MFA login to FIDO2 browsers leveraging the host device’s embedded authenticators and OS (e.g. Windows Hello), or external authenticators such as smartphones, wearable devices, and FIDO security tokens. How, and with what, these experiences authenticate is determined by which CTAP protocol and external (called roaming) devices are in use.
Specifically, CTAP2 enables smartphones and FIDO security tokens to interface with FIDO2 web browsers and operating systems over USB, NFC, or BLE. Together these deliver 2FA, MFA, or passwordless authentication. CTAP1 (formerly, FIDO U2F) enables existing FIDO U2F security keys and wearables for authentication on FIDO2 browser and OS’s over USB, NFC, or BLE, but for 2FA alone.
"FIDO's CTAP protocols help smartphones talk with supported web browsers over various communication methods to enable users to have a passwordless experience."