FIDO2: WebAuthn & CTAP
Moving the World Beyond Passwords
FIDO2 is the overarching term for FIDO Alliance’s newest set of specifications. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
Inside the FIDO2 Specifications
Web Authentication (WebAuthn)
WebAuthn enables online services to use FIDO Authentication through a standard web API that can be built into browsers and related web platform infrastructure. It is a collaborative effort based on specifications initially submitted by FIDO Alliance to the W3C and then iterated and finalized by the broader FIDO and W3C communities. WebAuthn was designated an official web standard in March 2019. It is currently supported in Windows 10 and Android platforms, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers.
WebAuthn allows users to log into internet accounts using their preferred device. Web services and apps can – and should – turn on this functionality to give their users an easier login experience via biometrics, mobile devices and/or FIDO security keys — and with much higher security over passwords alone.
For technical information about the W3C Recommendation, look here.
Client to Authenticator Protocol (CTAP)
CTAP enables expanded use cases over previous FIDO standards. It enables external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also to serve as authenticators to desktop applications and web services.
For technical details about CTAP, look here.
FIDO2’s relationship with other FIDO specs
The specifications under FIDO2 support existing passwordless FIDO UAF and FIDO U2F use cases and expand the availability of FIDO Authentication. Users that already have external FIDO-compliant devices, such as FIDO security keys, will be able to continue to use these devices with web applications that support WebAuthn. Existing FIDO UAF devices can still be used with pre-existing services as well as new service offerings based on the FIDO UAF protocols.
Testing and Certification
FIDO Alliance provides interoperability testing and certification for servers, clients and authenticators adhering to FIDO2 specifications. Additionally, the Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, WebAuthn, CTAP). As a best practice, the FIDO Alliance recommends online services and enterprises deploy a Universal Server to ensure support for all FIDO Certified authenticators.
WebAuthn + CTAP Flow
Demos from Google and Microsoft
See cross-browser, cross-OS demonstrations of FIDO2 in action