Transaction signing/confirmation using FIDO2

48 views
Skip to first unread message

Thirumal Bandi

unread,
Jun 23, 2021, 10:49:01 PMJun 23
to FIDO Dev (fido-dev)
Hello All,

I am looking at the possibility of replacing the transaction signing using OCRA with the transaction signing using FIDO. However, I do not see any provision in the FIDO2 specification. 

Does anyone have any recommendation or pointers to on how we can achieve the transaction confirmation or signing using FIDO2?

Thanks
Thirumal Bandi

Arshad Noor

unread,
Jun 23, 2021, 11:10:22 PMJun 23
to Thirumal Bandi, FIDO Dev (fido-dev)
Hi Thirumal,

While WebAuthn Level-1 had Transaction Authorization defined in its
spec, not a single browser implemented it. As a result, it has been
removed from WebAuthn Level-2; while it does not prevent a browser from
implementing the capability based on the Level-1 spec, its highly
unlikely anyone will.

Two developments that might be of interest:

1) There is experimental work going on in the W3C that is not currently
a standard yet,- it leverages FIDO credentials to implement this
capability:
https://www.w3.org/blog/wpwg/2021/03/26/secure-payment-confirmation-stripe-experiment-and-next-steps/

2) While not an implementation of the WebAuthn Level-1 specification,
StrongKey's open-source, FIDO Certified server added capability to
perform transaction authorization using FIDO2 credentials. To
demonstrate this, there is a native Android client library and a sample
app that showcases how it can be done:
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl

At the moment, the StrongKey FIDO server will return results that map to
the FIDO Alliance-EMVCo defined elements for transmitting FIDO-signed
transactions over EMV 3DS messaging:
https://fidoalliance.org/technical-note-fido-authentication-and-emv-3-d-secure-using-fido-for-payment-authentication/

So, if you're looking to implement a rich client app on Android (9 or
greater), you have the ability to start experimenting right away.

If you're looking to do it on desktops, then you can keep up with what's
going on with SPC. While you can deploy FIDO today to register users and
authenticate them to your web-apps, you may have to wait to experiment
with transaction confirmation.

Hope that helps.

Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org?utm_medium=email&utm_source=footer>.

Philipp Junghannß

unread,
Jun 24, 2021, 4:06:13 AMJun 24
to Arshad Noor, Thirumal Bandi, FIDO Dev (fido-dev)
how are browsers supposed to do txauth the idea is that a authenticator with a secure display are supposed to do the txauth and tell me if I am wrong but iirc authenticator extensions are just to be passed through and don't really need explicit browser support, as the browser is not involved in processing.

The issue here is more that there are basically no FIDO2 devices with a screen (or at least almost none I am aware of). The Trezor T, as the only device I am aware that has both a screen and FIDO2, however being a 180€ Cryptocoin wallet, I wouldn't call it feasible to use it only for FIDO anyway) has no TxAuth support, Ledger which said they wanted TxAuth in their Wallets have pushed FIDO2 back for at least a year while I have see it at least, and still is U2F only. the other cryptocoin wallets with support for ANYTHING Fido really are generally only U2F.

Regards.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/14378d19-292e-2f22-ec9e-44d226b887f6%40strongkey.com.

Arshad Noor

unread,
Jun 24, 2021, 6:48:27 AMJun 24
to Philipp Junghannß, Thirumal Bandi, FIDO Dev (fido-dev)
You are correct in your statement, Philipp: browsers are not involved in
the cryptographic processing of the transaction. But, assuming you're
not using an external authenticator with a secure display that supports
TxAuth, the issue is that the browser has to understand enough about
TxAuth to know that the transaction has to be displayed in a manner that
cannot be modified on the client side (other than to prompt the user to
accept/reject the transaction with the "FIDO credential gesture" (PIN,
Pattern, Biometric). And, this does require platform support.

Android and iOS have that support currently: BiometricPrompt on Android
and some equivalent on iOS (I'm not as knowledgeable on iOS as on
Android). Which is why we chose to implement TxAuth on Android and are
looking for an iOS developer currently. :-)

Arshad

On 6/24/21 1:06 AM, Philipp Junghannß wrote:
> how are browsers supposed to do txauth the idea is that a authenticator
> with a secure display are supposed to do the txauth and tell me if I am
> wrong but iirc authenticator extensions are just to be passed through
> and don't really need explicit browser support, as the browser is not
> involved in processing.
>
> The issue here is more that there are basically no FIDO2 devices with a
> screen (or at least almost none I am aware of). The Trezor T, as the
> only device I am aware that has both a screen and FIDO2, however being a
> 180€ Cryptocoin wallet, I wouldn't call it feasible to use it only for
> FIDO anyway) has no TxAuth support, Ledger which said they wanted TxAuth
> in their Wallets have pushed FIDO2 back for at least a year while I have
> see it at least, and still is U2F only. the other cryptocoin wallets
> with support for ANYTHING Fido really are generally only U2F.
>
> Regards.
>
> Am Do., 24. Juni 2021 um 05:10 Uhr schrieb Arshad Noor
> <arsha...@strongkey.com <mailto:arsha...@strongkey.com>>:
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org?utm_medium=email&utm_source=footer
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org?utm_medium=email&utm_source=footer>>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/14378d19-292e-2f22-ec9e-44d226b887f6%40strongkey.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/14378d19-292e-2f22-ec9e-44d226b887f6%40strongkey.com>.
>
Reply all
Reply to author
Forward
0 new messages