FIDO2: What’s the Difference Between CTAP and WebAuthN?
Updated: Oct 5
At its most basic, FIDO2 is a set of protocols that enable web applications to use secure device biometrics (fingerprint scans, facial recognition, etc.) and hardware-based security keys such as Google Titan and YubiKey for user authentication.
CTAP and WebAuthN: The Two Components of FIDO2
CTAP is a standard that allows a client application to communicate with a security key such as Google Titan or YubiKey over USB, near field communication (NFC), and Bluetooth. CTAP is a low level standard which is typically implemented at either the operating system or the browser level and engaged using a FIDO2 client.
In addition to supporting the CTAP protocol, the FIDO2 client also supports the biometric authentication hardware that is embedded in the device on which it is running. There is no standard protocol between the FIDO2 client and the biometric hardware on the device. This requires that the client implement the necessary low-level interfaces that are supported by the device operating system.
WebAuthN is a protocol that provides the interface a FIDO2 client needs to access a web application. This interface abstracts the CTAP and device biometric interfaces to allow a web application to access them using a single interface, regardless of the operating system and hardware available on the device.
So what’s needed to support FIDO2 for your web applications? First you’ll need a FIDO2 server. You can get that from any FIDO2 certified vendor, including Transmit Security. Next your application will need to communicate with the FIDO2 server and the WebAuthN browser interface. That’s pretty much it. There’s no need to worry about FIDO2 clients as they’re already included in the browser or operating system on top of which the browser runs. However, you will need to take a few things into consideration:
Users will need to register their FIDO2 authenticators with your application, whether these are device biometrics or security keys. Your application needs to be able to run these registration flows based on other identity validation methods and based on the FIDO2 authenticators supported for the user. Platforms such as Transmit Security can help you design and tie together these registration processes to simplify management and ensure a hassle-free user experience.
2. Browser and Device Support for FIDO2
Not all browsers support FIDO2 and not all hardware devices support FIDO-based biometrics. You will need to run parallel FIDO and non-FIDO methods of authentication allowing users to switch from one to another. Here as well, authentication management platforms such as Transmit Security can help you run multiple technologies under a single management console.
3. User Experience
As with any element related to identity or security in general, a poor customer experience can be confusing and frustrating to end users. New technologies and processes that are perceived as inconvenient and untrustworthy can set back the adoption of new authenticators and your web-based services. Tools offered by platforms such as Transmit give you granular control of the user experience and can implement user interface changes almost instantly across all your digital channels.
4. Changing User Devices
FIDO-based device biometrics (fingerprint scans, face recognition, etc.) are uniquely bound to the device itself. If the user switches to a new device, the biometrics are gone and you’re left with no way of authenticating the user using FIDO2 unless the user holds a hardware security key. It’s recommended to combine FIDO2 with a mobile authenticator to allow users to easily switch between devices. A platform such as Transmit Security has built-in processes that can easily be deployed to accommodate secure device registration and replacement.