AI agents may soon be buying your stuff for you. The FIDO Alliance has teamed up with Google and Mastercard to try to ensure that shopping in the near future isn’t a complete disaster.The digital world is already fraught with security issues such as malware, online impersonation, and account takeovers. The emergence of agentic AI, which performs activities on behalf of humans, introduces new risks. To address these concerns, the FIDO Alliance, an industry association focused on authentication, announced on Tuesday that it will establish two working groups to develop industry standards for validating and safeguarding transactions conducted by AI agents. This initiative is supported by initial contributions from Google and Mastercard.
The objective is to establish a protective baseline that can be implemented across various industries. This would enable users to authorize agent actions using mechanisms that are resistant to phishing or takeover by malicious actors who could give rogue instructions to an agent. The standards would also incorporate cryptographic tools that digital services could use to verify that agents are correctly and legitimately executing an authenticated person’s instructions. Additionally, they would provide privacy-preserving frameworks to allow users, merchants, and other service providers to validate transactions initiated by agents. In essence, the aim is to prevent agent hijacking or other rogue behavior, and to establish transparency and accountability mechanisms for dispute resolution.
“Agents are becoming increasingly prevalent and are moving into mainstream use. However, existing models were not designed for this type of paradigm—they were not built to consider actions performed on behalf of a user,” says Andrew Shikiar, CEO of the FIDO Alliance. He further adds, “Looking back at our work on the vast problem of passwords, which originated decades ago, the security foundation for our connected economy was not fit for purpose. We are now at a similar crossroads with agentic agents and interactions, where we have the opportunity to establish foundational principles that will enable more trusted interactions.”
Developing technical standards that can be applied across industries and facilitate interoperability is a complex process that often takes years. However, given the rapid development and adoption of agentic AI, representatives from the FIDO Alliance, Google, and Mastercard all stress the need for a faster process. To expedite this, both companies are contributing open-source tools to the initiative. Google’s Agent Payments Protocol (AP2) provides a mechanism for cryptographically verifying that a user intended for a specific agent-initiated transaction to occur. Mastercard’s Verifiable Intent framework, co-developed with Google to work with AP2, offers a secure mechanism for users to authorize and control agent actions. The aim is to provide cryptographic proof that a transaction was authorized by the user themselves.
