LLMpediaThe first transparent, open encyclopedia generated by LLMs

CTAP

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Titan Security Keys Hop 5
Expansion Funnel Raw 64 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted64
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
CTAP
NameCTAP
AbbreviationCTAP
DeveloperFIDO Alliance
Release2018
TypeAuthentication protocol

CTAP CTAP is an authentication protocol designed to enable secure, passwordless, and phishing-resistant authentication across Microsoft Google Apple platforms using external authenticators such as Yubico devices and platform authenticators from Intel and Qualcomm. It complements protocols from the World Wide Web Consortium and the FIDO Alliance to integrate with web standards supported by browsers like Mozilla Firefox and Google Chrome, and identity providers including Okta and Auth0.

Overview

CTAP specifies how external authenticators, including roaming tokens from Yubico and built-in platform authenticators in devices from Apple and Google, communicate with client platforms and relying parties such as Microsoft Azure Active Directory. The protocol works alongside the WebAuthn API standardized by the World Wide Web Consortium and implemented in browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. CTAP defines message formats, transport methods such as USB, NFC, and BLE, and attestation mechanisms that can be verified by servers operated by entities like Cloudflare and Amazon Web Services.

History

Work on CTAP began within the FIDO Alliance as members including Yubico, Google, Microsoft, Apple, Intel, and Samsung sought to replace passwords following initiatives by NIST and discussions at conferences such as RSA Conference and Black Hat. Early deployments involved products from Yubico and platform support announced by Google and Microsoft at events like Google I/O and Microsoft Ignite. Over successive versions, CTAP evolved to address proposals from standards bodies including the Internet Engineering Task Force and feedback from companies like Okta and Duo Security.

Architecture and Protocols

CTAP defines two main sub-protocols implemented by authenticators and clients produced by vendors such as Yubico and Feitian: CTAP1 (compatible with Universal 2nd Factor) and CTAP2 (designed for FIDO2). CTAP2 specifies CBOR-encoded messages and relies on cryptographic primitives promoted by NIST, including algorithms in the FIPS family and elliptic curves like secp256r1 and Ed25519. Transport layers include USB Implementers Forum specifications for USB HID, Bluetooth profiles maintained by Bluetooth SIG, and NFC standards from the ISO/IEC family. Attestation formats reference metadata sources such as the FIDO Metadata Service used by relying parties like Okta.

Implementations and Devices

Hardware authenticator vendors include Yubico, Feitian Technologies, Thales Group, Identiv, SoloKeys, and platform implementers like Apple (Face ID/Touch ID), Google (Titan), and Microsoft (Windows Hello). Browsers with CTAP-supporting WebAuthn clients include Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. Cloud identity services integrating CTAP-enabled workflows include Auth0, Okta, Azure Active Directory, Google Identity Platform, and enterprise solutions from Ping Identity. Device manufacturers such as Samsung and chipset vendors like Qualcomm and Intel provide platform authenticators integrated into smartphones and laptops.

Security and Privacy Considerations

CTAP emphasizes phishing resistance and cryptographic attestation, with attestation models referencing policies from NIST and legal frameworks like the General Data Protection Regulation when used in the European Union. Threat analyses cited by vendors including Yubico and researchers from MIT and Stanford University examine risks such as supply-chain attacks, device cloning, and side-channel leakage studied at conferences like USENIX Security Symposium and Black Hat. Privacy-preserving features include anonymized attestation and per-origin keying comparable to guidance from the Electronic Frontier Foundation and compliance requirements enforced by organizations like ISO.

Applications and Use Cases

CTAP-enabled authenticators are used for enterprise single sign-on deployments by companies like Microsoft and Google, consumer account protection for services from Dropbox, GitHub, and Google Accounts, and secure access in financial services at institutions such as JPMorgan Chase and Goldman Sachs. Use cases extend to government identity projects influenced by eIDAS requirements, education platforms used by Coursera and edX, and developer tooling from GitLab and Atlassian that integrate hardware token workflows.

Standards and Compliance

CTAP is part of the broader FIDO2 suite standardized by the FIDO Alliance in cooperation with the World Wide Web Consortium, aligning with recommendations from NIST Special Publications and interoperable with metadata programs operated by organizations like FIDO Alliance and test labs accredited by ETSI. Compliance testing often references criteria from Common Criteria evaluations and certification programs used by vendors such as Yubico and Thales.

Category:Authentication protocols