Delegated Authentication with FIDO2 and WebAuthn

Skip to first unread message

Benjamin Heimann

Mar 5, 2024, 9:50:14 AMMar 5
to FIDO Dev (fido-dev)
Hello Everyone,

Typically, when you make a payment online with your credit card, you must authorize the transaction with a two-factor authentication with your bank, a process referred to as Strong Customer Authentication (SCA).
However, there is an option to delegate the authorization of the transaction to the merchant, a process known as Delegated Authentication. The merchant can take over the authorization process with the help of FIDO2: the user registers a passkey with the merchant; the user purchases something from the merchant online; the user authorizes the transaction with their passkey.

There are some documents that describe how Delegated Authentication with FIDO can be implemented on a high level. These documents explain that each payment instrument (credit card) must be individually registered by the user for Delegated Authentication at the merchant.

My question is whether a separate FIDO key pair (i.e. WebAuthn credential) needs to be created for each payment instrument or if it's sufficient to just create a single credential for each user. 
Unfortunately, the details in the FIDO paper linked below aren't entirely clear on this. Does anyone here have experience implementing Delegated Authentication with FIDO and can provide some hints / technical implementation details?

Related Documents:
- FIDO for SCA Delegation to Merchants or Wallet Providers - a FIDO Paper
- W3C Secure Payment Confirmation - a WebAuthn extension to support financial transactions in the browser
- Mastercard Delegated Authentication for Merchants - describes what a typical Delegated Authentication flow looks like.
Reply all
Reply to author
0 new messages