What is the CTAP (Client to au­then­ti­ca­tor Protocol)?

For decades, we’ve used the classic security system with a com­bi­na­tion of both password and username. If you want to log in somewhere on the Internet – whether at a social media portal or a web-shop, you simply enter your account name and a secret password. However, it has since emerged that this technique is not as perfect as it once was. Users often choose passwords that are too simple or use the same password for many different accounts, making them­selves vul­ner­a­ble to attacks. That’s why the FIDO Alliance has teamed up with the World Wide Web Con­sor­tium (W3C) to develop a system that is both more secure and more con­ve­nient than previous password pro­tec­tion.

The results of the col­lab­o­ra­tion can be found in FIDO2 and WebAuthn. Another mechanism commonly mentioned in con­nec­tion with the new online pro­tec­tion is the Client to Au­then­ti­ca­tor Protocol (CTAP). But what exactly is behind the term?

FIDO2 and Web Authn are intended to replace normal passwords. Biometric data, like a fin­ger­print, will back up your online accounts. A hardware token, like a USB stick, can be used for au­then­ti­ca­tion. These devices are referred to as au­then­ti­ca­tors in the context of FIDO. Com­mu­ni­ca­tion between this token and the user’s system is regulated by CTAP. Therefore, the protocol de­ter­mines how the two com­po­nents must com­mu­ni­cate with each other in order to suc­cess­ful­ly au­then­ti­cate and log-in to work on the web.

CTAP is available in two different versions. The first version of the protocol was also known as Universal 2^nd Factor (U2F) and refers primarily to two factor au­then­ti­ca­tion. CTAP2 is used for in­no­va­tion sur­round­ing FIDO2. The new protocol, in com­bi­na­tion with WebAuthn, makes FIDO2 work. WebAuthn regulates the con­nec­tion between the user’s system and the website where the person needs to identify them­selves. CTP, on the other hand, regulates the con­nec­tion between the au­then­ti­ca­tor and the user’s PC or laptop – or the browser on the platform, since the user is re­spon­si­ble for au­then­ti­ca­tion.

To ensure that only au­tho­rized in­di­vid­u­als can log into an online account, there must be some form of au­then­ti­ca­tion. FIDO2 allows you to use an ad­di­tion­al device to identify yourself as a user. These tokens are intended to replace im­prac­ti­cal, sometimes insecure passwords. The idea is that the au­then­ti­ca­tor connects through USB, NFC or Bluetooth to the actual device you want to use. For CAP, WebAuthn and FIDO2 to work, the browser you use should support new standards. However, the current versions of market leaders have already im­ple­ment­ed FIDO2.

Com­mu­ni­ca­tion through CTAP follows a specific pattern. First, the browser (or any other re­spon­si­ble software) connects to the au­then­ti­ca­tor and queries about the in­for­ma­tion. The system de­ter­mines what au­then­ti­ca­tion option the external device is offering. Based on this in­for­ma­tion, the system is then able to send a command to the au­then­ti­ca­tor. The au­then­ti­ca­tor will send either a response or an error message if the command doesn’t match the devices ca­pa­bil­i­ties.

The au­then­ti­ca­tion data, like the fin­ger­print for example, never leaves the user’s access area with this method. All sensitive data remains in the system. The browser only sends con­fir­ma­tion through WebAuthn that access is permitted. This transfer, in turns, works through a public key procedure. Phishing attacks don’t work with CTAP, WebAuth and FIDO2: If users no longer need to provide passwords or usernames, then these can no longer be stolen through scams.