The Cryptotoken component extension offers a chrome.runtime.sendMessage() API that allows any web site to make requests to a user's FIDO U2F security key. Cryptotoken and its API have been subsumed by the W3C Web Authentication API.


U2F is Chrome’s original security key API. It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F never became an Open Web standard and was subsumed by WebAuthn (launched in M67). Chrome never directly supported the FIDO U2F JavaScript API in Blink, but rather shipped a component extension called cryptotoken, which exposes an equivalent chrome.runtime.sendMessage API. U2F and Cryptotoken are firmly in maintenance mode and we encouraged sites to migrate to WebAuthn two years ago.

Status in Chromium


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signals


Last updated on 2022-05-15