Security Encyclopedia

Client to Authenticator Protocol (CTAP1, CTAP2)

The Client to Authenticator Protocols (CTAP1, CTAP2) are FIDO Alliance specifications that complement the W3C’s WebAuthn Protocol, and together these protocols enable two-factor authentication (2FA), multi-factor authentication (MFA), or a true passwordless experience.

Jointly the FIDO CTAP protocols and the W3C’s WebAuthn comprise FIDO2, which succeeds the alliance’s U2F and UAF specifications. FIDO2 supports passwordless, 2FA, and MFA login to FIDO2 browsers leveraging the host device’s embedded authenticators and OS (e.g. Windows Hello), or external authenticators such as smartphones, wearable devices, and FIDO security tokens. How, and with what, these experiences authenticate is determined by which CTAP protocol and external (called roaming) devices are in use.

Specifically, CTAP2 enables smartphones and FIDO security tokens to interface with FIDO2 web browsers and operating systems over USB, NFC, or BLE. Together these deliver 2FA, MFA, or passwordless authentication. CTAP1 (formerly, FIDO U2F) enables existing FIDO U2F security keys and wearables for authentication on FIDO2 browser and OS’s over USB, NFC, or BLE, but for 2FA alone.


"FIDO's CTAP protocols help smartphones talk with supported web browsers over various communication methods to enable users to have a passwordless experience."