webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard
verified publisher icon w3c

Re-Open "confirmation" discussion (see PR#2020)

Open rlin1 opened this issue 2 months ago • 3 comments

I was asked by the FIDO2 working group, to re-open the transaction confirmation discussion in WebAuthn WG.

Description

Ability for relying parties to pass a confirmation prompt to the authenticator (e.g., security key with a display) through official "rails" - as opposed to using other protocol elements that were introduced for other purposes. Ability for the authenticator to cryptographically link the confirmation prompt to the generated assertion - if the authenticator has shown it. Ability for the client (e.g., Browser) to display the confirmation prompt on behalf of the authenticator (e.g., security key without a display). Ability for the client to include the confirmation prompt that was shown in the clientDataJSON.

Related Links

See https://github.com/w3c/webauthn/pull/2020 as a starting point.

rlin1 avatar Oct 28 '25 15:10 rlin1

I’m still a strong advocate for these extensions to the WebAuthn spec — not least because they would finally enable adoption in more heavily regulated sectors like banking and other high-value or high-risk transactions.

FlxMgdnz avatar Oct 28 '25 16:10 FlxMgdnz

No browser vendor interest to implement

nadalin avatar Dec 10 '25 20:12 nadalin

There is interest from Google in this. I will work on priorities internally, but there's supportive for shipping this (at least for physical security keys for now).

christiaanbrand avatar Dec 10 '25 22:12 christiaanbrand