FIDO2: Associated Standards Overview

August 19, 2023
Businessman with laptop displaying Fido Alliance logo on a code-themed background

Breaking down the roles and functions of FIDO2’s associated specifications.

When implementing passwordless authentication with passkeys, examining the building blocks of the FIDO2 standard is a good place to start. FIDO2 is made up of several specifications — for example, the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) or the FIDO Alliance’s Client to Authenticator Protocol (CTAP).

Let’s review the associated standards of FIDO2 to better understand how it provides a standardized, interoperable authentication framework for web and platform applications alike.


WebAuthn is a standard web API that was developed by the FIDO Alliance in collaboration with W3C. WebAuthn is built into leading browsers and platforms to enable support for FIDO2 authentication (passkeys) through a straightforward JavaScript API. As a result, users can make use of passkeys on familiar web platforms as well as their personal devices.

In everyday use, WebAuthn is the component that’s most relevant for those implementing passwordless logins with passkeys. To better illustrate this point, we can look to some of the leading tech companies that are already making use of WebAuthn — this list includes Google, Mozilla, Microsoft, Apple, and more.

Secure Payment Confirmation (SPC)

In June 2023, the latest version of a proposed W3C standard known as Secure Payment Confirmation (SPC) was released as a recommendation draft. SPC is a Web API that effectively streamlines the use of WebAuthn authentication in online payments.

SPC builds upon WebAuthn’s capabilities, making it possible for payment service providers to provide a consistent payment experience to customers. SPC is designed to scale, too — once a user has registered an authenticator with the relying party, they can then use it to authenticate themselves on different merchant sites.

This standard is currently supported by Google Chrome and Microsoft Edge web browsers.

The Client to Authenticator Protocol (CTAP)

Looking back at our explanation of how FIDO2 works, the Client to Authenticator Protocol (CTAP) is at the core of this process when using cross-platform authenticators. CTAP is the mechanism that defines the communication protocol between client devices and the authenticators that are responsible for performing FIDO2 authentication. By facilitating data exchanges and responses between these two entities, CTAP delivers a streamlined, consistent authentication experience to users across different devices and platforms.

While WebAuthn is the specification closely referred to by implementers of FIDO2 authentication by online service providers, CTAP is primarily relevant for hardware manufacturers and operating system vendors. 

When it comes to how CTAP interacts with FIDO2 authenticator types, it’s important to reiterate that CTAP is only relevant for cross-platform authenticators that have been connected to the main device via USB, Bluetooth, or NFC. On the other hand, CTAP isn’t required for platform authenticators, as the authentication takes place in the same device context (in other words, the authenticator is built directly into a laptop or mobile device). 

FIDO2 Authenticator Attachments for laptops, smartphones, and desktops with USB, NFC, and QR code options

A Look Back at UAF and U2F

Although its name implies that FIDO2 is the second variant of the authentication standard, there were, in fact, two iterations that preceded FIDO2: The Universal Authentication Framework (UAF) and the Universal 2nd Factor (U2F). UAF and U2F were both completed and published by the FIDO Alliance in late 2014. 

In the same vein as FIDO2, both of these protocols were designed to provide strong authentication to web applications. Importantly, FIDO2 is backward compatible with both UAF and U2F, which emphasizes its ongoing commitment to interoperability.

Universal Authentication Framework (UAF)

The Universal Authentication Framework (UAF) is the FIDO Alliance’s initial authentication framework and passwordless protocol. With its focus on passwordless and biometric-based authentication methods, UAF makes it possible for users to authenticate themselves using biometrics (such as a fingerprint or facial recognition) or other locally stored credentials (such as a PIN code) without needing to rely on traditional passwords.

Universal 2nd Factor (U2F)

The Universal 2nd Factor (U2F) protocol was created to provide a strong two-factor authentication method through its use of public-key cryptography. 

In the words of the FIDO Alliance, “FIDO U2F allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login.”

Public-key cryptography is also at the core of FIDO2’s CTAP specification, as we’ve explained above. (In fact, upon the release of FIDO2, U2F was renamed as CTAP1.)

In our upcoming blog post, we’ll be exploring how FIDO2 authentication and passkeys are being implemented by brands and multiple industries as well as how banks and fintech companies can get started with passkeys. Stay tuned!

Related articles


get in touch

Consider partnering with Wultra to meet compliance standards, deliver a secure and seamless user experience, and deliver additional value to your customers while improving your bottom line.

Ondřej kupka
Picture of Account Executive Ondrej Kupka
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.