CTAP is the protocol used between computers and security keys. CTAP 2.1 defines[1] a security key extension called credBlob that is designed to store a hash value that can be used to authenticate externally provided data. This feature involves plumbing that value through WebAuthn to let the security key see it. [1] https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#sctn-credBlob-extension


credBlob is designed to associate a SHA-256 hash with a credential on a security key. Microsoft (will) use this to allow externally-provided (and thus untrusted) data to be authenticated during an OS login process when central servers are unavailable. By allowing this extension to be exercised via WebAuthn it's possible to create credentials via the web that will be compatible with this. Otherwise all such credentials would have to be created via native tools.


Specification link

Unknown standards status - check spec link for status

Status in Chromium


No active development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signals


Intent to Prototype url

Intent to Prototype thread

Last updated on 2021-12-07