New tech touted as faster and stronger than web-based authentication alternatives

Image: Shutterstock / Public Domain

Google has begun bundling a new secure payment feature with the latest prototype version of its Chrome browser.

The secure payment confirmation feature, incorporated into Chrome 95 beta, hooks into the Web Authentication API to offer another layer of web-based authentication.

The feature adds a new ‘payment’ extension to that API, allowing organizations such as banks to optionally offer a PublicKeyCredential. This credential can be queried by merchants during payment transactions via the Payment Request API using the ‘secure-payment-confirmation’ payment method.


Catch up with the latest authentication-based security news and analysis


Secure payment confirmation enables FIDO-based authentication for web payments.

Users enrol a payment instrument using on-device biometrics, creating a FIDO credential that can be held by a payment service provider, such as Stripe (a partner with Google in trials of the technology). This credential can be used in later transactions to authenticate the user.

The technology can also be used to produce a signed challenge that includes the transaction value. During trials, secure payment confirmation "provided a higher conversion rate and faster authentication time" thanthe latest version of 3-D Secure authentication flows, according to Google.


Payment confirmation technology debuting in Google Chrome uses FIDO-based authenticationGoogle’s new secure payment confirmation technology uses FIDO-based authentication


The authentication approach, comparable but more advanced than WebAuthn, is touted as faster and more secure than web-based authentication alternatives.

Support for the technology in Google Chrome comes against a backdrop of regulatory changes designed to enforce stronger authentication for online payments in many regions, including the European Union.

Deprecating U2F

Chrome 95 beta, released last week, comes ahead of the newest version’s mainstream launch, due October 19.

The release deprecates Chrome’s legacy U2F API for interacting with security keys.

However, “U2F security keys themselves are not deprecated and will continue to work,” Google explains in its release notes. “Affected sites should migrate to the Web Authentication API”.

Chrome 95 beta also removes support for FTP (File Transfer Protocol) URLs, a little-used legacy technology that has been superseded by more capable FTP clients.

As browser support for legacy technologies such as FTP heads into the sunset, Chrome 95 also debuts support for access handles for the File System Access API.

Google said the introduction of the technology is the first step in broader plans to “merge the origin private file system of the File System Access API with the Storage Foundation API to reduce the number of entry points for getting access to file-based storage in the browser”.


RELATED Opera browser patches MyFlow remote code execution vulnerability