Query about Transaction Confirmation implementation in FIDO and txAuthSimple Extension
184 views
Skip to first unread message
Yashpal Slathia
Apr 28, 2021, 4:16:26 AM4/28/21
to fido...@fidoalliance.org
Hi,
If we have to implement transaction confirmation in FIDO, how can we implement it?
I was going through FIDO specifications and came to know about txAuthSimple Extension (https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-simple-txauth-extension).
As per the specification, this FIDO extension may help to achieve transaction confirmation flow in FIDO.
But this particular extension is missing in the latest specification link - https://www.w3.org/TR/webauthn/#sctn-appid-exclude-extension. There is no txAuthSimple extension at 10.2.
Does anyone know if this extension is supported by common browsers like Chrome, IE, Safari etc? Also, does Android and Windows Hello as a platform support this natively?
Your inputs are appreciated.
Regards,
Yashpal
Philipp Junghannß
Apr 28, 2021, 4:32:50 AM4/28/21
to Yashpal Slathia, FIDO Dev (fido-dev)
android iirc is weird with FIDO in several ways anyway. For Browsers the extension is a lot less relevant as long as they pass it through to the authenticator, but for external authenticators there are almost or no options that support it due to the obvious need for a display. I am not aware of Win Hello supporting it, and for iOS I cannot really say anything as I dont have one.
Regards.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALyYV97c8xoLJMfrYHY-dzjofsr_TxBN7eSxr90bDztr7DPvww%40mail.gmail.com.
nuno sung
Apr 28, 2021, 5:07:17 AM4/28/21
to FIDO Dev (fido-dev), yashpal...@gmail.com
https://github.com/w3c/webauthn/issues/1386
You may consider below one instead.
yashpal...@gmail.com 在 2021年4月28日 星期三下午4:16:26 [UTC+8] 的信中寫道:
Arshad Noor
Apr 29, 2021, 2:42:17 PM4/29/21
to Yashpal Slathia, fido...@fidoalliance.org
Since extensions are not mandatory, W3C policy allowed Transaction
Confirmation (TC) extensions to be in the WebAuthn Level 1 specification.
However, by the time Level 2 came out, none of the browsers had
implemented any of the TC extensions. By policy, they had to be removed;
so its no longer in the Level 2 spec.
The Secure Payments Confirmation capability being developed at W3C,
which while it uses FIDO2, is based on a different working group's spec:
https://www.w3.org/Payments/WG/ which involves additional APIs to be
used in the browser application.
If your focus is only on mobile devices - and Android specifically, for
now - then you could look at the open-source Android library we released
in Preview Mode last month at
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl.
It does not use the WebAuthn API, but it does support TC using "dynamic
linking" with a FIDO2 digital signature which can be verified if you're
using our open-source FIDO Certified server from
https://github.com/StrongKey/fido2.
The sample e-commerce app at the SACL URL above demonstrates how it
works. Screenshots are at the 5:00 minute mark on this YT video:
https://www.youtube.com/watch?v=tp5i9_e7xEY
Hope that helps.
Arshad Noor
StrongKey
On 4/28/21 1:16 AM, Yashpal Slathia wrote:
> Hi,
> If we have to implement transaction confirmation in FIDO, how can we
> implement it?
> I was going through FIDO specifications and came to know
> about txAuthSimple Extension
> (https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-simple-txauth-extension
> <https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-simple-txauth-extension>).
Confirmation (TC) extensions to be in the WebAuthn Level 1 specification.
However, by the time Level 2 came out, none of the browsers had
implemented any of the TC extensions. By policy, they had to be removed;
so its no longer in the Level 2 spec.
The Secure Payments Confirmation capability being developed at W3C,
which while it uses FIDO2, is based on a different working group's spec:
https://www.w3.org/Payments/WG/ which involves additional APIs to be
used in the browser application.
If your focus is only on mobile devices - and Android specifically, for
now - then you could look at the open-source Android library we released
in Preview Mode last month at
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl.
It does not use the WebAuthn API, but it does support TC using "dynamic
linking" with a FIDO2 digital signature which can be verified if you're
using our open-source FIDO Certified server from
https://github.com/StrongKey/fido2.
The sample e-commerce app at the SACL URL above demonstrates how it
works. Screenshots are at the 5:00 minute mark on this YT video:
https://www.youtube.com/watch?v=tp5i9_e7xEY
Hope that helps.
Arshad Noor
StrongKey
On 4/28/21 1:16 AM, Yashpal Slathia wrote:
> Hi,
> If we have to implement transaction confirmation in FIDO, how can we
> implement it?
> I was going through FIDO specifications and came to know
> about txAuthSimple Extension
> (https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-simple-txauth-extension
> As per the specification, this FIDO extension may help to achieve
> transaction confirmation flow in FIDO.
> But this particular extension is missing in the latest specification
> link - https://www.w3.org/TR/webauthn/#sctn-appid-exclude-extension
> <https://www.w3.org/TR/webauthn/#sctn-appid-exclude-extension>. There is
> transaction confirmation flow in FIDO.
> But this particular extension is missing in the latest specification
> link - https://www.w3.org/TR/webauthn/#sctn-appid-exclude-extension
> no txAuthSimple extension at 10.2.
> Does anyone know if this extension is supported by common browsers like
> Chrome, IE, Safari etc? Also, does Android and Windows Hello as a
> platform support this natively?
>
> Your inputs are appreciated.
>
> Regards,
> Yashpal
>
> Does anyone know if this extension is supported by common browsers like
> Chrome, IE, Safari etc? Also, does Android and Windows Hello as a
> platform support this natively?
>
> Your inputs are appreciated.
>
> Regards,
> Yashpal
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALyYV97c8xoLJMfrYHY-dzjofsr_TxBN7eSxr90bDztr7DPvww%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALyYV97c8xoLJMfrYHY-dzjofsr_TxBN7eSxr90bDztr7DPvww%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALyYV97c8xoLJMfrYHY-dzjofsr_TxBN7eSxr90bDztr7DPvww%40mail.gmail.com
Reply all
Reply to author
Forward
0 new messages