Sorting FIDO/CTAP/WebAuthn terminologies

CTAP1 my U2F you FIDO2 CTAP2.

If you are confused about all various FIDO terms, you are not alone. Over the years FIDO has expanded from two, to a dozen working groups. Standards started overlapping, having backwards compatibility and everything went terminologically speaking, bonkers.

TL;DR image

So here is a breakdown:

• FIDO — Fast IDentity Online, or FIDO Alliance. As I explained earlier it’s a consortium that develops secure, open, phishing proof, passwordless authentication standards. FIDO Protocol Family is a set of protocol that was developed by FIDO Alliance. UAF — Universal Authentication Framework. U2F — Universal Second Factor, and FIDO2. When I say use “FIDO” I generally mean “Use any of these three protocols”, as they are all conceptually the same protocol, with the difference being structural (UAF — TLV, U2F — RAW, FIDO2 — CBOR).
• CTAP — Client to Authenticator Protocols — A set of low level definitions to the transport protocols(HID, NFC, BLE) that describe how CTAP enabled devices must communicate using them with the client. These characteristics are shared by U2F and FIDO2 authenticators, and respectively they are called CTAP1 and CTAP2.
• U2F — Universal 2nd Factor — together with UAF, first phishing proof authentication protocol on the web. Originally presented in 2014 publication. It is web centric, so it supports USB, NFC and BLE transports. It contains specifications for low level transports, message format, JS API and other.
• CTAP1 — A formal name of low lever part of the U2F protocol. U2F uses raw message format aka many glued together buffers.
• U2F JS API — A legacy U2F only API, that was introduced in 2014 in Google Chrome. It is now outdated and companies should move away from it as it is only supports U2F and is only supported by few browsers, where WebAuthn is a modern standard that supports both U2F and FIDO2 standards.
• FIDO2 — A new, modern, simple, secure, phishing proof, passwordless authentication protocol. Its core specifications are WebAuthn(the client API) and CTAP(the authenticator API).
• CTAP2 — A formal name of low level part of the FIDO2 protocol. FIDO2 uses CBOR to encode response structures aka JSON but TLV-ish. CTAP2 specification is then defines how FIDO2 requests converted into CTAP1/U2F requests, and CTAP1/U2F responses into CBOR/FIDO2 responses. But U2F is NOT a part of FIDO2.
• WebAuthn — A browser JS API that describes an interface for creating and managing public key credentials. It’s a new, W3C led specification that is build with modern web requirements. WebAuthn can talk to both CTAP2/FIDO2 and CTAP1/U2F authenticators. Based on criterial it will take encode requests for the desired standards, and decode/re-encode responses based on the protocol. So despite CTAP1/U2F conversion is defined in CTAP2 specs, it is implemented on WebAuthn side.
• Authenticator — A FIDO authenticator is an entity that performs authentication of the user to the server. Authenticator can be software, like mobile app, or hardware, like a security key.
• Security key —Is correct term for the hardware authenticators that support FIDO. Examples of the security keys are: Yubikey, Feitian, Trustkey, etc.

FAQ

Is U2F a part of FIDO2?

— No, it is not. U2F is a separate standard for a phishing proof second factor authentication. FIDO2 is simply backwards compatible with existing U2F authenticators.

FIDO2 is WebAuthn?

— No, it is not. WebAuthn is just another specification in FIDO2 protocol, so correct way to say is “My server supports authentication with FIDO2”. It’s a common misconception due to WebAuthn is being the most public piece of FIDO2 project. As a compromise you could say “My server supports authentication with FIDO2/WebAuthn”

Should I call all security keys Yubikeys?

— NO. Yubikey is a security key from Yubico. It’s a great product, and we [Webauthn Works] are proud users of the Yubikeys for many years. However Yubikey is only one of the available security keys on the market. You should check TrustKey, Feitian Bio Pass, Open Source Solokey, and Google Titan Key, for example. So unless you specifically talk about Yubikey, product of Yubico, you should use term “Security Key” instead.

Is there more I can read about FIDO2?

— Shameless self advertising 1: https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285 — My introduction to WebAuthn API

— Shameless self advertising 2: https://medium.com/@herrjemand/verifying-fido2-responses-4691288c8770 — My introduction to verifying FIDO2 responses

— Shameless self advertising 3: https://github.com/herrjemand/awesome-webauthn — A collection of curated resources on FIDO2/WebAuthn

License

This article is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0). So you are free to read, share, etc. If you are interested in commercial use of this article, or wish to translate it to a different language, please contact me at ackermann(dot)yuriy(at)gmail(dot)com.