<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is an [Abbreviation] of [Web Authentication API].Some other user Abbreviations within [{$pagename}]:
* [FIDO] — [Fast IDentity Online], or [FIDO Alliance]. is a consortium that develops secure, open, phishing proof, [Passwordless Authentication] [standards]. FIDO [Protocol] Family is a set of protocol that was developed by [FIDO Alliance]. 
* [UAF] — [Universal Authentication Framework] 
* [U2F] — [Universal Second Factor]
* [FIDO2] - generally implies &quot;Use any of the three protocols&quot; 
* [CTAP] — [Client To Authenticator Protocols] — A set of low level [protocols] to communicate with the [WebAuthn Authenticators] over the [BLE]/[NFC]/[USB]. [CTAP] family includes [CTAP1|CTAP] and [CTAP2] [protocols].
** CTAP1 — A formal name of [U2F] [protocol].
** [CTAP2] — A name for second [version] of the [CTAP] protocol. The main characteristic is use of [CBOR] for encoding structures, backwards compatibility with CTAP1([U2F]), extensions and new attestation formats. Both [CTAP1|CTAP] and [CTAP2] share same transport layer, so the version difference is mainly the structural.
* [WebAuthN] — A browser [JavaScript] [API] that describes an interface for creating and managing [Public Key] [credentials].
[FIDO2] is the newest [FIDO Alliance] [specification] for authentication standards, and [WebAuthN] is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. This is an evolving security ecosystem that will make crossing the bridge to passwordless easier. Cloud-first organizations, or one that has a mix of cloud and on-premises infrastructure can pursue a FIDO2 passwordless strategy. Organizations with cloud-based applications or other [SaaS] applications, and using any of the existing Identity Providers can consider a FIDO2 passwordless approach.
Since arriving on the scene, the FIDO Alliance has published three specifications:
* Universal 2nd Factor ([U2F])
* Universal Authentication Framework ([UAF])
* [FIDO2], which comprises 
** Web Authentication ([WebAuthN]) 
** Client to Authenticator Protocol 2 ([CTAP2]).

!! FIDO 1.0: U2F and UAF
In [2014|Year 2014], [FIDO] published the Universal Authentication Framework (UAF), which was intended to implement passwordless authentication through biometrics. They then added Universal 2nd Factor (U2F), developed by [Google] and [Yubico] as a more secure replacement for traditional OTP-based two-factor authentication (2FA). U2F included its own client-side protocol, Client to Authenticator Protocol (CTAP), which could be used to authenticate a token via USB, near-field communication (NFC), or Bluetooth.
By doing this, FIDO 1.0 implemented public-key encryption in a way that overcame the inherent vulnerabilities of OTPs sent across insecure networks. Instead of a simple pin, a private/public key pair was created during registration for a service, with the private key secured on the user's token or device, and never transmitted. This meant there was nothing to intercept and steal. All the service provider retained was the public key associated with the user.

Nevertheless, FIDO 1.0 was still two protocols built to do different things and created in the interests of two different players—an industry alliance backed by [PayPal] ([UAF]), and [Google] ([U2F]). But one big name was missing ([Apple]), and set about implementing their own biometric authentications, namely Touch ID and later Face ID. The risk was that [FIDO] would become fragmented, with the user experience dictated by platforms and devices.

On the plus side, [UAF] had embedded support for biometric authentication inside mobile devices, while [U2F] was supported natively inside the world's most popular web browser, [Chrome]. This meant that FIDO authentication wasn't something users had to enable or download—it was an embedded capability, of which many already had access.

!! FIDO2 and [Web Authentication API]
[FIDO2] is a further development of [Google] and [Yubico]’s U2F protocol with an expanded version of [CTAP], now called [CTAP2]. 

While U2F was designed to act as a second factor for passwords, FIDO2’s purpose is to allow [Passwordless Authentication]. It does this via a new [Web Authentication API] ([WebAuthN]). This [API] allows web applications to use [Public Key] [encryption] and [Authenticators] directly. So where FIDO1.0 still required usernames and passwords, FIDO2 has created the architecture needed to do away with traditional credentials.

WebAuthn with CTAP2 has two important capabilities. First, it's backwards-compatible and complementary to U2F and UAF, so anyone using those technologies can continue to do so even as efforts shift to WebAuthn and CTAP2. Second, WebAuthn has been adopted by the World Wide Web Consortium (W3C), meaning it’s an open web standard, rather than one backed by just a handful of companies.
Browser support for WebAuthn has been added to Chrome, Firefox, and Edge.

How will WebAuthn improve on FIDO 1.0 from the user’s point of view? By making authentication universal, easy-to-use, and allowing everyone to move beyond passwords (an authentication that has become a global security weakness). However, challenges remain, such as overcoming a lack of awareness about the need for authentication, and the perception that UAF and U2F were only intended for businesses and power users.
This can be overcome by brands and service providers offering WebAuthn as a default option. The challenge over the next two years will be to get more ordinary web users to switch from passwords to WebAuth—it’s just a matter of trust.

[{$applicationname}] strongly supports open standards such as [FIDO2] and [WebAuthN].!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>