Key Points
- The FIDO Alliance has launched the Agentic Authentication Technical Working Group, with Google contributing AP2 and Mastercard contributing Verifiable Intent. Agent authentication is now on the same standardization track as passkeys.
- With Visa, Amex, PayPal, Stripe, Adyen, Cloudflare, Microsoft, and Okta on board, the lineup of payment giants, identity players, and cloud infrastructure providers signals the start of an industry consolidation phase.
- Running parallel to the April 28 UCP Council expansion, e-commerce operators need to plan for FIDO-spec-compliant authentication implementation in H2 2026.
The Day Agent Authentication Joined the Passkey Track
The FIDO Alliance today announced initiatives to develop interoperable standards for agentic interactions and commerce.
www.businesswire.comOn April 28, 2026, the FIDO Alliance announced the formation of the Agentic Authentication Technical Working Group. The same announcement revealed that Google is contributing the Agent Payments Protocol (AP2) and Mastercard is contributing its Verifiable Intent framework to FIDO. AP2 had been a Google-led specification with participation from Cloudflare, Coinbase, and Salesforce, but it has now passed into the hands of a neutral standards body.
The impact of this announcement goes far beyond just adding another working group. The FIDO Alliance is the organization behind WebAuthn and passkeys, the global standard for passwordless authentication. The fact that the same body has taken on agent authentication means that AI-agent-driven transactions are now considered worthy of the same level of standardization as passkeys themselves. This article unpacks what this restructuring is actually solving, what the participating company lineup signals, and what e-commerce operators should do next.
Why Existing Authentication Models Fall Short
Today's authentication and authorization models were designed assuming humans interact with services directly. A user logs in via a browser, clicks with their own finger, and completes a transaction. WebAuthn and OAuth have functioned within this flow.
When AI agents act on a user's behalf, the assumptions break down. The agent signs into accounts, selects products, and executes payments instead of the user. At that moment, the service side cannot answer fundamental questions: Is this a legitimate agent? Was it actually delegated by the user? Has it stayed within authorized scope, amount, and duration? The three pillars FIDO Alliance highlighted in its release — Verifiable User Instructions, Agent Authentication, and Trusted Delegation for Commerce — are direct answers to these questions.
The release cited a McKinsey estimate that agentic commerce could reach $5 trillion globally by 2030. Even if only half of that materializes, the market cannot scale while leaving the authentication gap unfilled. Riskified's recently published data showing that 55% of agent-driven traffic is being mistakenly declined captured the economic cost of that authentication void. FIDO's move is a clear industry response.
Two Specifications Donated — AP2 and Verifiable Intent
The newly formed Payments Technical Working Group is co-chaired by Mastercard and Visa, with two technical contributions on the table from day one.
Google's contribution, the Agent Payments Protocol (AP2), defines agent-driven payments through a three-layer model: secure delegation, verifiable authorization, and trusted transaction execution. We covered the protocol details in our AP2 explainer, but the essence is that users cryptographically sign delegations specifying what an agent may purchase, up to what amount, and under what conditions — letting merchants, card networks, and PSPs verify the chain of intent.
Mastercard's contribution, Verifiable Intent, is designed to operate alongside AP2. Mastercard's Chief Digital Officer Pablo Fourez summarized it well: "For agent-initiated commerce to scale, user intent must be explicit, verifiable, and trusted." What Verifiable Intent provides is a shared record of user intent that the entire payments ecosystem can rely on. While AP2 defines the payment protocol itself, Verifiable Intent functions as a layer of intent proof that sits on top.
Stavan Parikh, VP/GM of Payments at Google, also offered a notable comment: contributing AP2 to a trusted industry association ensures the protocol stays open, platform-agnostic, and community-led. This is effectively a declaration of relinquishing ownership. It mirrors Google's June 2025 decision to donate A2A to the Linux Foundation and reaffirms the industry consensus that AI-agent infrastructure should not be enclosed by any single vendor.
What the Participant Lineup Signals
Look at the chairs, vice-chairs, and participating companies of the new working groups, and the scale of what's happening becomes clear.
The Agentic Authentication Technical Working Group is chaired by members from CVS Health, Google, and OpenAI, and vice-chaired by Amazon, Google, and Okta. The Payments Technical Working Group is chaired by Mastercard and Visa, with American Express, PayPal, Stripe, Adyen, Cloudflare, Microsoft, and Okta on the participant roster.
Three axes emerge from this composition: payment giants (Visa, Mastercard, Amex, PayPal, Stripe, Adyen), identity players (Okta, Microsoft, Google), and cloud infrastructure (Cloudflare, Microsoft, Google). Having all three pillars at the same table is unprecedented. It mirrors the structure of the early WebAuthn era when Google, Microsoft, and Apple aligned — a configuration where industry-wide standardization actually becomes possible.
CVS Health and OpenAI being among the chairs is also worth noting. CVS brings the regulated healthcare use case for agent authentication, while OpenAI joins as a representative of the implementation side. The specifications will be refined from both the policy and the engineering perspectives, not just academic theory.
Parallel Movement with the UCP Council Expansion
The timing makes another announcement impossible to ignore: the Universal Commerce Protocol (UCP) Council expansion on April 28. Amazon, Meta, and Microsoft joined the council, cementing UCP's position as the de facto standard for the commerce layer. We covered UCP details in our Universal Commerce Protocol explainer, but what matters here is that two movements are running in parallel.
UCP handles the commerce layer between agents and merchants. The new FIDO working groups handle the authentication layer between agents, users, and services. As outlined in our agentic AI protocols overview, the authentication layer has been a fragmented territory of vendor-specific approaches. FIDO formally entering this space means both the commerce layer and the authentication layer are now aligning under "standards owned by neutral bodies."
You could call it the starting gun of an industry consolidation phase. Google, Anthropic, OpenAI, Stripe, Visa, and Mastercard have each been pushing their own specifications, but the simultaneous council additions and standards-body donations in the last week of April are no coincidence. The natural reading is that companies have intentionally shifted from "fence off the market with proprietary specs" to "expand the market on shared rails."
The Authentication Roadmap E-Commerce Operators Need
This standardization wave is not someone else's problem for e-commerce operators. FIDO Alliance specifications typically take 12 to 18 months from draft publication to production deployment. The release explicitly notes that work has already commenced, so initial specifications should be expected to solidify between H2 2026 and early 2027.
Three things to lock down on the operator side. First, agent traffic identification. As Riskified's 55% rejection data shows, false declines occur today because humans and agents are indistinguishable. Once FIDO's Agent Authentication spec stabilizes, merchants will be able to verify legitimate agents technically.
Second, authorization scope design. The Verifiable User Instructions spec requires users to explicitly encode "when, where, up to what amount, how many times" an agent may act on their behalf. Operators need to organize internal policies for how to interpret incoming delegations and how far to permit execution.
Third, continuity with existing passkey implementations. FIDO's strength is that agent authentication is not invented from scratch but layered on top of WebAuthn and passkey infrastructure. Operators that already deployed passkeys are likely to extend smoothly into agent authentication. Those who lagged on passkey adoption will accumulate compounding delays.
For the broader picture of agent identity, see our agentic AI identity stack vendor guide. Even before FIDO's specs solidify, Okta, Microsoft, and Auth0 are providing forward solutions.
Key Takeaways
The launch of the Agentic Authentication Technical Working Group, the donations of AP2 and Verifiable Intent, and the participation of major payment, identity, and cloud players — this April 28 announcement bundle marks the moment agent authentication moved from "experimental phase" to "standardization phase."
Three points to remember. Agent authentication has joined the same track as passkeys, becoming an open standard owned by a neutral body. The move runs parallel to the UCP Council expansion, with both the commerce and authentication layers now entering an industry consolidation phase. And operators should organize their passkey implementations and authorization policies now, on the assumption that initial specifications will firm up between H2 2026 and early 2027.
Recall how long it took WebAuthn to take hold, and the same path likely awaits agent authentication. The difference is that the journey will be dramatically shorter. The 2027 in which AI agents handle everyday purchasing is now within reach.
