Re-Open "confirmation" discussion (see PR#2020)

[rlin1]

I was asked by the FIDO2 working group, to re-open the transaction confirmation discussion in WebAuthn WG.

Description

Ability for relying parties to pass a confirmation prompt to the authenticator (e.g., security key with a display) through official "rails" - as opposed to using other protocol elements that were introduced for other purposes.
Ability for the authenticator to cryptographically link the confirmation prompt to the generated assertion - if the authenticator has shown it.
Ability for the client (e.g., Browser) to display the confirmation prompt on behalf of the authenticator (e.g., security key without a display). Ability for the client to include the confirmation prompt that was shown in the clientDataJSON.

Related Links

See #2020 as a starting point.

[FlxMgdnz]

I’m still a strong advocate for these extensions to the WebAuthn spec — not least because they would finally enable adoption in more heavily regulated sectors like banking and other high-value or high-risk transactions.