Overview#CTAP2 (Client To Authenticator Protocol Two) provides additional capabilities such as Biometric Authentication and resident keys which allows richer device interactions with existing Web Authentication API
- CTAP2 supports “user verification”, such as PIN or Biometric Authentication locally on the Hardware-secured key. This enables using the key as both 1st and 2nd factor without need for a server-side password.
- CTAP2 supports storing the Private Key along with some metadata on the device, whereas U2F instead encrypts the Private Key and stores the ciphertext on the server. While the encryption approach allows for simpler hardware and an unlimited number of registrations, the local storage approach allows login without even having to type (or even have) a username. CTAP2 devices supports both.
- CTAP2 has an extensions framework in which an authentication vendor and server can cooperate to implement custom features without the ComputerAssociateIDMLine having to understand them.
- CTAP2 – Web Authentication API – is compatible with more existing Trusted Platform Modules (TPMs) and such hardware. For example, it’s theoretically possible that some Android phones could receive software upgrades that turn their fingerprint sensors into WebAuthn authenticators.