The vast majority of users decide to make their purchases online thanks to the convenience and speed in which they can purchase a certain product, without having to physically search for the product in the store, queue to pay, and take it home. Due to the increase in online shopping, a fundamental issue is security. Today we are going to explain what the CTAP protocol is and what it is for.
Since the last decade, any website we access to make a purchase, if we access a social network, a forum, etc. It always asks us to log in a username or email, along with the corresponding password with which we registered the account. The main problem of using this login method, that is, to identify ourselves on the website, is that it can be very simple to steal the data or discover our login password. Normally this usually happens by not using strong passwords , as they can be more difficult to memorize.
Due to all these security issues, the FIDO Alliance together with World Wide Web Consortium, better known as W3C, have developed a much safer and more comfortable system for logging into websites. This development has concluded with the creation of FIDO2 and WebAuthn, which we have already talked about in Networks Zone, but another equal or more important mechanism that most users do not know is CTAP ( Client to Authenticator Protocol ).
What is CTAP
The first thing we have to know is that FIDO2 and WebAuthn, are systems that are designed to replace the password system that all users use today. With FIDO2 and WebAuthn you can use biometric data to log in, a simple example you have in laptops, mobiles, and other devices that, for example, incorporate fingerprint reader.
Thanks to the fingerprint we can make our password the same fingerprint. It is very important that you do not confuse it with the systems that are currently on different devices, so that, when you require the login, you have the password stored (password manager). This system is not the FIDO2 or the WebAuthn, since we are only accessing a database stored in our device to automatically enter the password for that website.
Another option that also exists, and is increasingly used in companies, is a device that connects to our computer as a USB key, where internally it incorporates a hardware to authenticate us and have a secure login.
Given this previous point, we want to explain how the CTAP works. The CTAP in this previous case would be the protocol in charge of controlling the communication between the USB key and the authenticator token. That is, CTAP would be the protocol that is responsible for secure communication between the two parties, so that they first communicate, second they authenticate and third, they can finally log in.
CTAP Versions
Once we have seen what CTAP is and how it works, it is important to know that there are currently two totally different versions of CTAP that we will see below:
- U2F (Universal 2 nd Factor) : The first version that was created of CTAP, is also precisely the first version that was created of the protocol and is better known as U2F which means “Universal 2 nd Factor”. This version refers to the authentication of two factors, or as you will surely know many, two-step authentication that is so fashionable in recent years.
- CTAP2 : The second version that was created of CTAP, is CTAP2. CTAP2 is used together with WebAuthn, and what allows FIDO2 to work. That is, while WebAuth handles the connection between the user’s equipment and the website, the CTAP2 protocol is responsible for the connection between the user’s equipment and the website using the authenticator. That is, WebAuthn takes care of the connection and CTAP2 of the authenticator connection.
How the CTAP protocol works
The first thing we have to be clear about is that CTAP and WebAuthn have to work together to make FIDO2 possible.
We all know that, to be able to log in to a website, online application, etc. This must have implemented an authentication system to be able to log in FIDO2, it is done thanks to an external device, such as, for example, we have commented above a USB key, which would actually be a token, the user who owns that device and thus be able to identify on the website, application, etc. Thanks to the token we avoid having to use a password that would be very easy to be stolen or found out.
Authentication connection methods
Currently there are different methods of connecting our authentication device to our equipment. Although the most common today is to use a device that connects to the USB port, since they were of the first designed, we can also connect by NFC or Bluetooth connection the device that would give us our secure login token.
What is necessary for our secure login device to work
In order for us to use a device to authenticate, we must have at least one web browser that is compatible with the new CTAP, WebAuthn and FIDO2 standards. Currently if we have the updated browser, both Google Chrome and Mozilla Firefox are compatible with FIDO2 in its latest versions.
Other type of authenticators:
As we have talked before, smartphones with fingerprints, iris recognition, and even recognition of our face, we can authenticate in different services. These authentication methods, because they are incorporated into the hardware, do not need any external components, and therefore, a separate communication protocol is not necessary from the devices, that is, what the CTAP does.
How CTAP communication works
CTAP communication works as follows:
- First : the web browser connects to our authentication device and asks for information.
- Second : once you have communicated with the device, it sends you information about the authentication method that you can offer to the browser.
- Third : according to the information received by the browser, it will send an order to the authenticator, which can be a login or error.
Once we see how CTAP communication works, we can better understand how the systems used by manufacturers such as Apple work. When the authentication hardware is incorporated into the physical hardware of the device, the login data such as our fingerprint or our face, never leave the device, that is, the web browser only sends confirmation via WebAuthn if The login is valid, but it never checks that the fingerprint or the image of our face is authentic, since that is what the device takes care of by incorporating everything into the same hardware.
We can say that thanks to using CTAP, WebAuthn and FIDO2 it is finally possible to eliminate man-in-the-middle attacks to steal passwords and phishing, as users do not have to provide any password to log in.
