FIDO2: WebAuthn & CTAP
Moving the World Beyond Passwords
FIDO2 is the overarching term for FIDO Alliance’s newest set of specifications. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device.
Inside the FIDO2 Specifications
WebAuthn enables online services to use FIDO Authentication through a standard web API that can be built into browsers and related web platform infrastructure. It is a collaborative effort based on specifications initially submitted by FIDO Alliance to the W3C and then iterated and finalized by the broader FIDO and W3C communities. WebAuthn was designated an official web standard in March 2019. It is currently supported in Windows 10 and Android platforms, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) web browsers.
WebAuthn allows users to log into internet accounts using their preferred device. Web services and apps can – and should – turn on this functionality to give their users an easier login experience via biometrics, mobile devices and/or FIDO security keys — and with much higher security over passwords alone.
For technical information about the W3C Recommendation, look here.
Client to Authenticator Protocol (CTAP)
CTAP enables expanded use cases over previous FIDO standards. It enables external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also to serve as authenticators to desktop applications and web services.
For technical details about CTAP, look here.
FIDO2’s relationship with other FIDO specs
The specifications under FIDO2 support existing passwordless FIDO UAF and FIDO U2F use cases and expand the availability of FIDO Authentication. Users that already have external FIDO-compliant devices, such as FIDO security keys, will be able to continue to use these devices with web applications that support WebAuthn. Existing FIDO UAF devices can still be used with pre-existing services as well as new service offerings based on the FIDO UAF protocols.
Testing and Certification
FIDO Alliance provides interoperability testing and certification for servers, clients and authenticators adhering to FIDO2 specifications. Additionally, the Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, WebAuthn, CTAP). As a best practice, the FIDO Alliance recommends online services and enterprises deploy a Universal Server to ensure support for all FIDO Certified authenticators.
WebAuthn + CTAP Flow
Collaborating to Drive an Industry Answer
Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link. WebAuthn will change the way that people access the web.
Google Chrome is dedicated to building a better web, and allowing developers to interact with secure keystores in a structured way helps us continue this mission. As a founding member of the U2F and FIDO2 working groups within FIDO, we’re excited for the launch of these standards and look forward to our continued collaboration.”
“Providing a password alternative that works across devices, apps, browsers, and websites delivers on our commitment to a future without passwords. We are excited to announce that we will add support for WebAuthn API, currently in the approval process stage, and W3C, in Microsoft Edge thanks to our work with the FIDO Alliance.”
With Web Authentication, we’re giving people using Firefox the opportunity to add another layer of security to their browsing experience. Giving people greater control over how they manage their security online and making the internet safer is central to Mozilla’s mission to keep the web open and accessible to all.
Member Perspectives on FIDO2
“The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication. As pioneers in the authentication space, Duo Security knows that for security to be effective, it has to be easy. WebAuthn’s security and privacy protections, built-in phishing resistance and ease-of-use give it the potential to drive widespread adoption across enterprise and consumer markets, making everyone safer as a result. True passwordless authentication has been sought for a long time – today, we’re closer to realizing that goal with WebAuthn.”
Duo Security, a Cisco business unit Senior R&D Engineer
“The fact that users get phished is not really their failing. It was a gap in the internet infrastructure that made them vulnerable. With today’s announcement, the internet community is closing that gap. The internet infrastructure now has the tools to provide user friendly phishing-resistant authentication at scale. Google has been part of this journey since the earliest days, we introduced Security Key based authentication in 2014, the Advanced Protection Program in 2017, and the Titan Security Key in 2018. Now with W3C WebAuthn and FIDO2 client support coming across all major client platforms, an expanded set of capabilities is enabled. We look forward to leveraging these to offer our users additional new intuitive login experiences that are phishing-resistant.”
Google & President, FIDO Alliance Product Management Director
“Our work with W3C and FIDO Alliance, and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords, which started in 2015. Today, Windows 10 with Microsoft Edge fully supports the WebAuthn standard and millions of users can log in to their Microsoft account without using a password.”
Program Management, Microsoft Identity Division Corporate Vice President
“Providing an alternative to phishable and inconvenient passwords that works across devices, apps, browsers, and websites has been the mission of Nok Nok Labs since our inception. The Web Authentication API is an important step towards the goal of enabling simple and strong authentication on the devices we use in our daily lives. It is imperative that the industry as a whole continues to add support for FIDO Authentication into all platforms to better protect consumers in our digital world.”
Nok Nok Labs Sr. Director of Products
“As an active contributor and board member of FIDO, Daon is eager for the launch of FIDO2 to offer new authentication options to our global customers and their users, through our IdentityX platform. These new standards are another key component in enabling Daon to fulfill its mission of eliminating passwords through biometrics and empowering people across any channel to transact in a trusted manner.”
Daon President (Americas)
“Out of all multi-factor authentication solutions I know of, Web Authentication is our best technical response to the scourge of phishing. Protecting individuals’ privacy and security is fundamental to Mozilla, and Web Authentication plays a key role in that protection. Mozilla supports the advancement of Web Authentication, and its end-goal of a phishing-free future for all the web.”
Mozilla Cryptography Engineer
“One of the key challenges enterprises face today is the ability to mitigate risk while simplifying the login experience for end users at the same time. In supporting FIDO2, Gemalto looks forward to helping organizations rationalize their authentication schemes to effectively manage risk. This can be done by applying the appropriate level of authentication method to diverse use cases, while at the same time making it easy and convenient for end users to securely access multiple enterprise resources.”
Identity & Access Management at Gemalto Senior Vice President
“Nok Nok Labs has seen significant momentum and adoption for FIDO based passwordless authentication for anyone using a mobile application; now with the added FIDO2 standard and the W3C WebAuthn specification, we will be able to provide passwordless, privacy-centric, phishing-resistant, secure authentication through Web browsers on your PCs, and mobile devices. I want to thank the browser community for uniting with us to bring about an interoperable, standards based authentication solution for service providers to implement that is easy-to use and secure for consumers.”
The Fido Alliance & Founder of Nok Nok Labs Inc. Co-Founder
“As a board member of the FIDO Alliance and chair of the FIDO Enterprise Adoption Group, RSA strongly believes there is a role for FIDO in our customers’ secure access transformations. We are committed to supporting the new FIDO2 standard in RSA SecurID Access and believe it will be an important component in RSA’s unique ability to provide our customers with a range of secure and convenient authentication options to help mitigate identity risk.”
RSA & FIDO Alliance Board member and Enterprise Adoption Sub-Group Chair Director of Technology
“Providing security keys to enable simpler yet stronger authentication across all platforms for users worldwide is our primary focus. With this major standards milestone announced by FIDO Alliance and W3C, we are excited to support for the next generation of ubiquitous, hardware-backed FIDO Authentication.”
Feitian Technologies Managing Director of International Business
“Raonsecure is excited to move beyond mobile with FIDO2. Working with the Intel Online Connect platform to bring FIDO authentication to PCs, we are pleased to make it easier for enterprises and individuals to use stronger and more convenient online authentication than ever before, on whatever device they are using.”
“OneSpan is proud to be part of FIDO’s initiative to standardize the authentication industry. As a leading provider of authentication, risk, fraud and mobile security solutions for half of the top 100 global banks, and as a FIDO Alliance Board member and active participant in the FIDO2 working group, OneSpan has embraced the FIDO and FIDO2 standards within our solutions to ensure customers and consumers can easily and securely authenticate to online services.”
OneSpan & FIDO Alliance Board Member Vice President of Product Management
“Today’s standardization of W3C’s WebAuthn marks a milestone in the history of open authentication standards and internet security. Together, we achieved the near-impossible: the creation of a global standard supported by all platforms and browsers. Yubico is grateful to be a part of this journey and we look forward to the possibilities this is going to open for seamless, ubiquitous security for all internet users.”
Yubico CEO & Founder