12

I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far:

  • FIDO: First iteration in creating a cross industry standard for passwordless / 2fa experience (with UAF and U2F)
  • FIDO2: Second iteration (with CTAP and Webauthn)
  • U2F: specifies a Javascript API and a HID protocol for FIDO
  • CTAP: specifies a HID protocol for FIDO2
  • Webauthn: specifies a Javascript API for FIDO2

Do you think this is accurate? Any other information you think is useful?

Filipe Rodrigues
  • 398
  • 3
  • 13
  • This article seems to have a pretty good summary of the various standards: https://blog.strongkey.com/blog/guide-to-fido-protocols-u2f-uaf-webauthn-fido2 – natevw Mar 20 '21 at 00:38

1 Answers1

6

You are right except for few points to let me break it down for you.

  • FIDO: First iteration in creating a cross-industry standard for passwordless / 2fa experience (with UAF and U2F) ---> Yes you are right about but remember FIDO 1.0 never achieved standardization
  • FIDO2: Second iteration (with CTAP and Webauthn) --> Partially right about FIDO2.0. It comprised of WebAuthn (the Browser API) W3C standard and CTAP2 (the authenticator API) (formally known as U2F/CTAP1) and also FIDO Alliance relabeled U2F as CTAP1. Quite confusing but yeah we have to live with it.
  • U2F: specifies a Javascript API and a HID protocol for FIDO --> Yes you are right
  • CTAP: specifies a HID protocol for FIDO2 --> Yes you are right. CTAP is like client-side protocol to establish communication with external security keys.
  • Webauthn: specifies a Javascript API for FIDO2 --> Perfect
andjava
  • 578
  • 1
  • 5
  • 7