CTAP2 Protocol – Technical Guide 2026

[Student]

(From official FIDO Alliance specs, W3C WebAuthn Level 3, and real implementations – December 2025)

What is CTAP2? CTAP2 (Client to Authenticator Protocol 2) is the FIDO2 authenticator-side protocol that enables external security keys (YubiKey, Titan Key) and platform authenticators (built-in phone/laptop) to communicate with clients (browsers/OS) for passwordless authentication.

CTAP2 is the companion to WebAuthn – WebAuthn is the browser API, CTAP2 is the wire protocol between client and authenticator.

Key 2025 Facts (FIDO Alliance):

• >1 billion CTAP2-compatible authenticators shipped.
• >70 % of top sites support FIDO2 (passkeys).
• Phishing resistance: 100 % (no shared secret).

CTAP2 enables passkeys – device-bound, biometric-protected credentials.

CTAP2 Architecture (2025)​

Component	Role	Example
Client	Browser/OS that initiates auth	Chrome, Safari, Edge
Authenticator	Device that holds keys	YubiKey, iPhone Secure Enclave, Android StrongBox
Platform Authenticator	Built-in (phone/laptop)	Apple Touch ID/Face ID
Roaming Authenticator	External key	YubiKey 5, Google Titan

Transport types (2025):

• USB (HID)
• NFC
• Bluetooth Low Energy (BLE)
• Lightning (Apple)

CTAP2 Flow – Step-by-Step (2025 Process)​

1. Registration (makeCredential)

1. Client (browser) calls WebAuthn → sends makeCredential command.
2. Client forwards to authenticator via CTAP2.
3. Authenticator:
   • Prompts user verification (biometric/PIN).
   • Generates key pair (private + public).
   • Creates attestation (signed statement of device origin).
   • Returns credential ID + public key + attestation.
4. Client sends to Relying Party (server).
5. RP stores public key + credential ID.

2. Authentication (getAssertion)

1. Client calls WebAuthn → sends getAssertion with challenge.
2. Client forwards to authenticator.
3. Authenticator:
   • Prompts user verification.
   • Signs challenge with private key.
4. Returns signed challenge + credential ID.
5. Client sends to RP → RP verifies with public key → success.

No password transmitted.

CTAP2 Commands (Key Ones – 2025)​

Command (CBOR)	Hex	Purpose	Key Parameters
makeCredential	0x01	Register new credential	clientDataHash, rp, user, pubKeyCredParams
getAssertion	0x02	Authenticate	clientDataHash, allowList
getInfo	0x04	Get authenticator info	–
clientPIN	0x06	PIN management	–
reset	0x07	Factory reset	–

CBOR format – compact binary (like JSON but binary).

Technical Data Structures (2025)​

makeCredential parameters (CBOR map):
cbor:

{  1: clientDataHash (bytes),  2: { "id": rpId, "name": rpName },  3: { "id": userId, "name": userName, "displayName": displayName },  4: [ { "type": "public-key", "alg": -7 } ],  // ES256  5: { "rk": true, "uv": true }  // resident key + user verification }

getAssertion response:
cbor:

{  1: credentialId,  2: authenticatorData,  3: signature,  4: userHandle (optional) }

authenticatorData flags:

• UP (user present)
• UV (user verified)
• AT (attested)
• ED (extension data)

Supported Algorithms (2025)​

Algorithm	COSE ID	Use
ES256	-7	Default
ES384	-35	Optional
ES512	-36	Optional
EdDSA	-8	Emerging (passkeys)

Platform vs Roaming Authenticators (2025)​

Type	Sync	Cross-Device	Security
Platform	Yes	Yes (cloud)	Highest
Roaming	No	Yes (physical)	High

Sync providers:

• Apple iCloud Keychain
• Google Password Manager
• Microsoft cloud

Bottom Line – December 2025​

CTAP2 is the protocol behind FIDO2 passkeys – enables secure, passwordless auth with hardware-bound keys. Biometric + public-key crypto – phishing-proof.

Adoption exploding – future of login.

For developers: Use WebAuthn API (client) – CTAP2 handled by browser.

Stay safe – passkeys are the gold standard.

Your choice. – Based on FIDO Alliance CTAP2 spec, W3C WebAuthn Level 3 (2025).