Client To Authenticator Protocol (CTAP) is a specification describing how an application (i.e. browser) and operating system establish communications with a compliant authentication device over USB, NFC or BLE communication mediums.
The specification is part of the FIDO2 project and W3C WebAuthN specification. The specification refers to two CTAP protocol versions.
CTAP1 is the new name for FIDO U2F. It defines how to establish communications between FIDO2-enabled browsers and operating systems and a FIDO U2F device, to enable a second-factor authentication experience.
CTAP2 defines how to establish communication between FIDO2-enabled browsers and operating systems and external authenticators (FIDO Security Keys, mobile devices) to enable a passwordless, second-factor or multi-factor authentication experience.
The general flow of communications defined by CTAP is as follows:
- Application (i.e. browser) establishes a connection with the authenticator.
- Application gets information about the authenticator and its capabilities.
- Application sends a command for an operation that the authenticator supports.
- Authenticator replies with response data or error.