[webauthn] Transaction Authorization provides a simple and effective method to implement the PSD2 Dynamic Linking requirement. (#1396) from js165 via GitHub on 2020-03-31 (public-webauthn@w3.org from March 2020)

From: js165 via GitHub <sysbot+gh@w3.org>
Date: Tue, 31 Mar 2020 21:51:03 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-591454972-1585691462-sysbot+gh@w3.org>

js165 has just created a new issue for https://github.com/w3c/webauthn:

== Transaction Authorization provides a simple and effective method to implement the PSD2 Dynamic Linking requirement. ==
Transaction Authorization provides a simple and effective method to implement the PSD2 Dynamic Linking requirement.
In the Browser case, Javascript injection attacks (as Adam Langley explained) are a problem for the relying party to know what the user really sees.
So I think it would be important to have Browsers implementing transaction authorization - rather than removing the extension.

We might even want to find a way to allow Browsers supporting Transaction Authorization even with authenticators that don’t have a display.
One idea would be to let the Browser include the transaction text in the “CollectedClientData” in the case the Authenticator doesn’t provide native support for txAuth.
 
With that the Browser would send the transaction text to the Authenticator if the authenticator support displaying it, and the *browser* would display the transaction if the authenticator doesn't support transaction confirmation, e.g. most security keys.

_Originally posted by @rlin1 in https://github.com/w3c/webauthn/issues/1386#issuecomment-600105458_

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1396 using your GitHub account

Received on Tuesday, 31 March 2020 21:51:07 UTC