While WebAuthn Level-1 had Transaction Authorization defined in its
spec, not a single browser implemented it. As a result, it has been
removed from WebAuthn Level-2; while it does not prevent a browser from
implementing the capability based on the Level-1 spec, its highly
unlikely anyone will.
Two developments that might be of interest:
1) There is experimental work going on in the W3C that is not currently
a standard yet,- it leverages FIDO credentials to implement this
2) While not an implementation of the WebAuthn Level-1 specification,
StrongKey's open-source, FIDO Certified server added capability to
perform transaction authorization using FIDO2 credentials. To
demonstrate this, there is a native Android client library and a sample
app that showcases how it can be done:
At the moment, the StrongKey FIDO server will return results that map to
the FIDO Alliance-EMVCo defined elements for transmitting FIDO-signed
transactions over EMV 3DS messaging:
So, if you're looking to implement a rich client app on Android (9 or
greater), you have the ability to start experimenting right away.
If you're looking to do it on desktops, then you can keep up with what's
going on with SPC. While you can deploy FIDO today to register users and
authenticate them to your web-apps, you may have to wait to experiment
with transaction confirmation.
Hope that helps.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit