webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Revised txAuthSimple extension

Open rlin1 opened this issue 1 year ago • 1 comments

With the original txAuthSimple extension included in WebAuthn-Level 1 (https://www.w3.org/TR/webauthn-1/#sctn-simple-txauth-extension), authenticator could display transaction text.

With secure payment confirmation (SPC) the browser can be used to show payment details and use an authenticator to approve the payment. But there is no way to show and approve non-payment transactions.

The challenge is to ensure the transaction text was visible to the user and to return evidence of this to the RP.

Proposed Change

The revised txAuthSimple extension allows the browser or the authenticator to display the transaction text (string) and reflect that in the WebAuthn assertion. The previous version (included in WebAuthn-Level 1) always required the authenticator to display it - practically preventing traditional security keys to be used in such context).

Exemplary use cases are: a) ability to move money from account to another b) share health data with hospitals

rlin1 avatar Feb 14 '24 10:02 rlin1

See PR #2020

rlin1 avatar Feb 14 '24 10:02 rlin1