FIDO logoThe FIDO Alliance has published the CTAP 2.3 Specification. No breaking changes were introduced between CTAP 2.2 and CTAP 2.3. Implementations of CTAP 2.2 are thus conformant to CTAP 2.3, therefore, a decision was made to provide certification of CTAP 2.3 implementations and not have a separate certification category for CTAP 2.2 implementations.

These are the features added and refined in CTAP 2.3:

  • Multiple Data Transfer Channels for Hybrid Interactions: CTAP 2.3 adds support for multiple data transfer channels for Hybrid interactions. Specifically, QR-Initiated transactions can now specify the data transfer channel to use. The default is Websockets (which was supported by CTAP 2.2). The new data transfer channel that can be specified is Bluetooth Low Energy.
  • Long Touch for Reset: CTAP 2.3 adds support for Long Touch for Reset. This feature allows the authenticator to communicate to the platform that the authenticator reset ceremony requires a long touch.
  • Added “FIDO_2_3” to Supported Versions List: The value “FIDO_2_3” was added to the list of supported versions in authenticatorGetInfo to indicate support for CTAP 2.3. Note that no value was created to indicate support for CTAP 2.2.
  • ISO7816 (NFC) Evidence of User Interaction: Clarified intended behaviors providing Evidence of User Interaction for authenticators supporting the ISO7816 contact interface or the ISO14443 contactless interface (NFC) without a method to collect a user gesture inside the authenticator boundary other than through a power on gesture.
  • setMinPINLength: Clarified in authenticatorGetInfo that setMinPINLength may be used when the Authenticator supports PIN entry via built-in User Verification.
  • authenticatorReset: Stated that either authenticatorReset SHOULD be supported or the authenticator MUST provide an alternate way to reset of the device back to a factory default state.
  • pinComplexityPolicy and setMinPINLength: The description of the interactions between pinComplexityPolicy and setMinPINLength was refined.
  • smart-card: smart-card was added to the list of FIDO Interfaces.
  • FIDO Applet Selection: Prohibited the authenticator from allowing the FIDO Applets to be implicitly selected or enabled.
  • NFCCTAP_GETRESPONSE: Refined NFCCTAP_GETRESPONSE timeout behaviors.

A corresponding version of the Server Requirements document was also published: Server Requirements (WebAuthn Level 3 and CTAP2.3). Recent server requirements additions are:

More good working moving passkeys forward!