diff --git a/fido2/ctap.c b/fido2/ctap.c
index c7f2d55..1214b1e 100644
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@@ -11,6 +11,7 @@
 #include "cbor.h"
 
 #include "ctap.h"
+#include "u2f.h"
 #include "ctaphid.h"
 #include "ctap_parse.h"
 #include "ctap_errors.h"
@@ -431,6 +432,12 @@ static int ctap_make_extensions(CTAP_extensions * ext, uint8_t * ext_encoder_buf
     return 0;
 }
 
+static unsigned int get_credential_id_size(CTAP_credentialDescriptor * cred)
+{
+    if (cred->type == PUB_KEY_CRED_CTAP1)
+        return U2F_KEY_HANDLE_SIZE;
+    return sizeof(CredentialId);
+}
 
 static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * auth_data_buf, uint32_t * len, CTAP_credInfo * credInfo)
 {
@@ -655,11 +662,25 @@ uint8_t ctap_add_attest_statement(CborEncoder * map, uint8_t * sigder, int len)
 // Return 1 if credential belongs to this token
 int ctap_authenticate_credential(struct rpId * rp, CTAP_credentialDescriptor * desc)
 {
+    uint8_t rpIdHash[32];
     uint8_t tag[16];
 
-    make_auth_tag(desc->credential.id.rpIdHash, desc->credential.id.nonce, desc->credential.id.count, tag);
+    switch(desc->type)
+    {
+        case PUB_KEY_CRED_PUB_KEY:
+            make_auth_tag(desc->credential.id.rpIdHash, desc->credential.id.nonce, desc->credential.id.count, tag);
+            return (memcmp(desc->credential.id.tag, tag, CREDENTIAL_TAG_SIZE) == 0);
+        break;
+        case PUB_KEY_CRED_CTAP1:
+            printf1(TAG_CTAP,"PUB_KEY_CRED_CTAP1\r\n");
+            crypto_sha256_init();
+            crypto_sha256_update(rp->id, rp->size);
+            crypto_sha256_final(rpIdHash);
+            return u2f_authenticate_credential((struct u2f_key_handle *)&desc->credential.id, rpIdHash);
+        break;
+    }
 
-    return (memcmp(desc->credential.id.tag, tag, CREDENTIAL_TAG_SIZE) == 0);
+    return 0;
 }
 
 
@@ -806,7 +827,8 @@ static uint8_t ctap_add_credential_descriptor(CborEncoder * map, CTAP_credential
         ret = cbor_encode_text_string(&desc, "id", 2);
         check_ret(ret);
 
-        ret = cbor_encode_byte_string(&desc, (uint8_t*)&cred->credential.id, sizeof(CredentialId));
+        ret = cbor_encode_byte_string(&desc, (uint8_t*)&cred->credential.id,
+            get_credential_id_size(cred));
         check_ret(ret);
     }
 
@@ -1021,7 +1043,8 @@ uint8_t ctap_end_get_assertion(CborEncoder * map, CTAP_credentialDescriptor * cr
         check_ret(ret);
     }
 
-    crypto_ecc256_load_key((uint8_t*)&cred->credential.id, sizeof(CredentialId), NULL, 0);
+    unsigned int cred_size = get_credential_id_size(cred);
+    crypto_ecc256_load_key((uint8_t*)&cred->credential.id, cred_size, NULL, 0);
 
 #ifdef ENABLE_U2F_EXTENSIONS
     if ( extend_fido2(&cred->credential.id, sigder) )
@@ -1170,8 +1193,6 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
         printf1(TAG_GA,"CRED ID (# %d)\n", GA.creds[j].credential.id.count);
     }
 
-
-
     CTAP_credentialDescriptor * cred = &GA.creds[validCredCount - 1];
 
     GA.extensions.hmac_secret.credential = &cred->credential;
diff --git a/fido2/ctap.h b/fido2/ctap.h
index 53a5d80..33f9edb 100644
--- a/fido2/ctap.h
+++ b/fido2/ctap.h
@@ -112,6 +112,7 @@
 #define CREDENTIAL_ENC_SIZE         176  // pad to multiple of 16 bytes
 
 #define PUB_KEY_CRED_PUB_KEY        0x01
+#define PUB_KEY_CRED_CTAP1          0x41
 #define PUB_KEY_CRED_UNKNOWN        0x3F
 
 #define CREDENTIAL_IS_SUPPORTED     1
diff --git a/fido2/ctap_parse.c b/fido2/ctap_parse.c
index 64cd2f6..fd92e85 100644
--- a/fido2/ctap_parse.c
+++ b/fido2/ctap_parse.c
@@ -9,6 +9,7 @@
 #include "cbor.h"
 
 #include "ctap.h"
+#include "u2f.h"
 #include "ctap_parse.h"
 #include "ctap_errors.h"
 #include "cose_key.h"
@@ -890,10 +891,15 @@ uint8_t parse_credential_descriptor(CborValue * arr, CTAP_credentialDescriptor *
 
     buflen = sizeof(CredentialId);
     cbor_value_copy_byte_string(&val, (uint8_t*)&cred->credential.id, &buflen, NULL);
-    if (buflen != sizeof(CredentialId))
+    
+    if (buflen == U2F_KEY_HANDLE_SIZE)
+    {
+        printf2(TAG_PARSE,"CTAP1 credential\n");
+        cred->type = PUB_KEY_CRED_CTAP1;
+    }
+    else if (buflen != sizeof(CredentialId))
     {
         printf2(TAG_ERR,"Ignoring credential is incorrect length\n");
-        //return CTAP2_ERR_CBOR_UNEXPECTED_TYPE; // maybe just skip it instead of fail?
     }
 
     ret = cbor_value_map_find_value(arr, "type", &val);
@@ -906,11 +912,15 @@ uint8_t parse_credential_descriptor(CborValue * arr, CTAP_credentialDescriptor *
     }
 
     buflen = sizeof(type);
-    cbor_value_copy_text_string(&val, type, &buflen, NULL);
+    ret = cbor_value_copy_text_string(&val, type, &buflen, NULL);
+    check_ret(ret);
 
     if (strncmp(type, "public-key",11) == 0)
     {
-        cred->type = PUB_KEY_CRED_PUB_KEY;
+        if (PUB_KEY_CRED_CTAP1 != cred->type)
+        {
+            cred->type = PUB_KEY_CRED_PUB_KEY;
+        }
     }
     else
     {
diff --git a/fido2/u2f.c b/fido2/u2f.c
index 677e04a..e711ea1 100644
--- a/fido2/u2f.c
+++ b/fido2/u2f.c
@@ -183,21 +183,21 @@ int8_t u2f_new_keypair(struct u2f_key_handle * kh, uint8_t * appid, uint8_t * pu
 }
 
 
-
-static int8_t u2f_appid_eq(struct u2f_key_handle * kh, uint8_t * appid)
+// Return 1 if authenticate, 0 if not.
+int8_t u2f_authenticate_credential(struct u2f_key_handle * kh, uint8_t * appid)
 {
     uint8_t tag[U2F_KEY_HANDLE_TAG_SIZE];
     u2f_make_auth_tag(kh, appid, tag);
     if (memcmp(kh->tag, tag, U2F_KEY_HANDLE_TAG_SIZE) == 0)
     {
-        return 0;
+        return 1;
     }
     else
     {
         printf1(TAG_U2F, "key handle + appid not authentic\n");
         printf1(TAG_U2F, "calc tag: \n"); dump_hex1(TAG_U2F,tag, U2F_KEY_HANDLE_TAG_SIZE);
         printf1(TAG_U2F, "inp  tag: \n"); dump_hex1(TAG_U2F,kh->tag, U2F_KEY_HANDLE_TAG_SIZE);
-        return -1;
+        return 0;
     }
 }
 
@@ -214,7 +214,7 @@ static int16_t u2f_authenticate(struct u2f_authenticate_request * req, uint8_t c
     if (control == U2F_AUTHENTICATE_CHECK)
     {
         printf1(TAG_U2F, "CHECK-ONLY\r\n");
-        if (u2f_appid_eq(&req->kh, req->app) == 0)
+        if (u2f_authenticate_credential(&req->kh, req->app))
         {
             return U2F_SW_CONDITIONS_NOT_SATISFIED;
         }
@@ -226,7 +226,7 @@ static int16_t u2f_authenticate(struct u2f_authenticate_request * req, uint8_t c
     if (
             (control != U2F_AUTHENTICATE_SIGN && control != U2F_AUTHENTICATE_SIGN_NO_USER) ||
             req->khl != U2F_KEY_HANDLE_SIZE ||
-            u2f_appid_eq(&req->kh, req->app) != 0 ||     // Order of checks is important
+            (!u2f_authenticate_credential(&req->kh, req->app)) ||     // Order of checks is important
             u2f_load_key(&req->kh, req->app) != 0
 
         )
diff --git a/fido2/u2f.h b/fido2/u2f.h
index 1fe7910..9055b36 100644
--- a/fido2/u2f.h
+++ b/fido2/u2f.h
@@ -103,6 +103,7 @@ void u2f_request(struct u2f_request_apdu* req, CTAP_RESPONSE * resp);
 // @len data length
 void u2f_request_nfc(uint8_t * req, int len, CTAP_RESPONSE * resp);
 
+int8_t u2f_authenticate_credential(struct u2f_key_handle * kh, uint8_t * appid);
 
 int8_t u2f_response_writeback(const uint8_t * buf, uint16_t len);
 void u2f_reset_response();