With secure payment confirmation (SPC) the browser can be used to show payment details and use an authenticator to approve the payment. But there is no way to show and approve non-payment transactions.
The challenge is to ensure the transaction text was visible to the user and to return evidence of this to the RP.
Proposed Change
The revised txAuthSimple extension allows the browser or the authenticator to display the transaction text (string) and reflect that in the WebAuthn assertion. The previous version (included in WebAuthn-Level 1) always required the authenticator to display it - practically preventing traditional security keys to be used in such context).
Exemplary use cases are:
a) ability to move money from account to another
b) share health data with hospitals
rlin1
commented
9 months ago
With the original txAuthSimple extension included in WebAuthn-Level 1 (https://www.w3.org/TR/webauthn-1/#sctn-simple-txauth-extension), authenticator could display transaction text.
With secure payment confirmation (SPC) the browser can be used to show payment details and use an authenticator to approve the payment. But there is no way to show and approve non-payment transactions.
The challenge is to ensure the transaction text was visible to the user and to return evidence of this to the RP.
Proposed Change
The revised txAuthSimple extension allows the browser or the authenticator to display the transaction text (string) and reflect that in the WebAuthn assertion. The previous version (included in WebAuthn-Level 1) always required the authenticator to display it - practically preventing traditional security keys to be used in such context).
Exemplary use cases are: a) ability to move money from account to another b) share health data with hospitals