Hello Everyone,
Typically, when you make a payment online with your credit card, you must authorize the transaction with a two-factor authentication with your bank, a process referred to as
Strong Customer Authentication (SCA).
However, there is an option to delegate the authorization of the transaction to the merchant, a process known as
Delegated Authentication. The merchant can take over the authorization process with the help of FIDO2: the user registers a passkey with the merchant; the user purchases something from the merchant online; the user authorizes the transaction with their passkey.
There are some documents that describe how Delegated Authentication with FIDO can be implemented on a high level. These documents explain that each payment instrument (credit card) must be individually registered by the user for Delegated Authentication at the merchant.
My question is whether a separate FIDO key pair (i.e. WebAuthn credential) needs to be created
for each payment instrument or if it's sufficient to just create
a single credential for each user.