{"id":"497e0571-83e2-4cd4-9f04-5e7952477569","task":"Understand FIDO2 CTAP2 protocol interaction between platform and roaming authenticators","domain":"fidoalliance.org","steps":["CTAP2 (Client to Authenticator Protocol 2) defines the binary protocol used between the browser/OS client and an external authenticator over USB HID, NFC, BLE, or hybrid transport; it is distinct from the WebAuthn API layer.","Key CTAP2 commands include authenticatorMakeCredential (registration) and authenticatorGetAssertion (authentication); the client encodes requests in CBOR and sends them over the transport.","CTAP2.1 added features including pinUvAuthProtocol (PIN/UV token for authenticator access), credential management (list/delete resident credentials), and large blob storage.","When building a server-side relying party you do not interact with CTAP2 directly — the browser abstracts it; however understanding CTAP2 is necessary when building a native client, writing CTAP2 conformance tests, or debugging authenticator behavior.","Authenticator capability discovery is done via authenticatorGetInfo command; the extensions and options maps in the response tell you which CTAP2 features the authenticator supports."],"gotchas":["CTAP2 and CTAP1/U2F are distinct protocols; a FIDO2 authenticator may support both for backward compatibility, but U2F credentials are not discoverable and do not support userVerification.","PIN management in CTAP2 is sensitive — setting or changing a PIN changes the pinToken, which invalidates existing pinUvAuth tokens; clients must re-obtain the token after PIN changes.","CTAP2 error codes (e.g. CTAP2_ERR_PIN_AUTH_INVALID, CTAP2_ERR_NO_CREDENTIALS) surface as DOMException in the WebAuthn API and must be mapped to user-facing messages carefully."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:33.723Z"},"url":"https://mcp.waymark.network/r/497e0571-83e2-4cd4-9f04-5e7952477569"}