What security key specification is needed for WebAuthN compatibility?
As far as I can understand, based on Adam Langley's blog post, there are two distinct layers:
The protocol (API) used by websites to access a token through the browser. Currently websites use the "FIDO U2F JavaScript API", and it is this API which WebAuthn replaces.
The protocol used by browsers (and other local software) to talk to the token itself. Currently FIDO U2F keys use the CTAPv1 protocol ("Client To Authenticator Protocol"), but new devices will be using CTAPv2. When Yubico talk about "FIDO2", they mean this protocol.
Although the upgrades are related to each other (CTAPv2 adds new features which WebAuthn will use), the layers are still mostly independent, and protocols mostly backwards-compatible. That is:
-
Compared with CTAPv1, the main upgrade in CTAPv2 is that devices will have more storage to make them usable as main auth factor (and possibly other features).
However, existing U2F parts seem to remain the same as in CTAPv1 (more or less, the token just needs to do digital signatures).
-
Compared with FIDO U2F API, the most important change in WebAuthn is in how it generates identifiers ("AppID") for the "relying party", i.e. the website.
However, tokens don't care about the internal structure of the identifier (it only needs to match), and WebAuthn even has provisions to allow the usage of existing FIDO U2F registrations. (New registrations done via WebAuthn won't work with FIDO U2F though.)
Therefore, if all you need is 2nd factor (U2F), it seems that all existing token models will still work with WebAuthn.
FIDO2 is an open authentication standard that consists of the W3C Web Authentication specification (WebAuthn), and the Client to Authentication Protocol (CTAP). CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) with an external authenticator (Security Key by Yubico). WebAuthn is an API enabling a client or platform to create and use public-key based credentials with a Relying Party. Yubico is a core contributor to the CTAP protocol, and the specification is hosted by the FIDO Alliance.