FIDO Alliance Launches Two AI-Agent Standards Groups — Google Donates Agent Payments Protocol, OpenAI Joins (April 28, 2026)
The FIDO Alliance on April 28, 2026 chartered two new technical working groups to standardise how AI agents authenticate and pay on a user's behalf. Google contributed its Agent Payments Protocol, Mastercard contributed Verifiable Intent, and OpenAI joined the alliance to co-chair the authentication group.
The FIDO Alliance on chartered two new technical working groups to define how AI agents authenticate, follow user instructions, and execute payments on a user's behalf. Google donated its Agent Payments Protocol (AP2) and Mastercard contributed its Verifiable Intent framework as the seed specifications, while OpenAI joined the alliance and will co-chair the authentication group.
What Happened
The alliance announced two parallel workstreams. The Agentic Authentication Technical Working Group will define how a human user delegates actions to an AI agent while keeping FIDO's phishing-resistant authentication intact, and how to draw a clear, verifiable line between actions taken by the user directly and actions taken by an agent on their behalf. The group is chaired by members from CVS Health, Google, and OpenAI, with vice-chairs from Amazon, Google, and Okta.
The second workstream, the Payments Technical Working Group, focuses on agent-initiated commerce. It is chaired by members from Mastercard and Visa and will build directly on Google's Agent Payments Protocol (AP2) and Mastercard's Verifiable Intent framework — both contributed as starting points so the group does not begin from a blank page. According to Google's announcement on the Google Pay blog, AP2 covers "secure delegation, verifiable authorization, and transaction execution" for agent-led purchases.
Key Details
- Two working groups, one launch: Agentic Authentication and Payments — both chartered on the same day to keep the authentication and transaction layers in sync.
- Authentication chairs: CVS Health, Google, OpenAI. Vice-chairs: Amazon, Google, Okta.
- Payments chairs: Mastercard and Visa, building on Google's AP2 and Mastercard's Verifiable Intent.
- OpenAI joins FIDO: The ChatGPT maker became a FIDO Alliance member specifically to co-chair the authentication group, per Biometric Update's reporting.
- Endorsing board members: 1Password, Dashlane, PayPal, Prove Identity, Thales, and Visa publicly endorsed the launch.
- Goal: Interoperable, vendor-neutral standards so an agent authorised on one platform can transact on another without bespoke per-merchant integrations.
What Developers and Users Are Saying
Reaction across Hacker News and security-focused threads was cautiously positive. Identity engineers welcomed the move because the alternative — every model vendor shipping its own bespoke agent-auth scheme — is exactly how phishing surfaces multiply. Skeptics zeroed in on the same risk Help Net Security flagged: a delegated credential is only as strong as the verification step that grants it, and the working groups must define what "the user really meant to authorise this purchase" looks like in code, not just in policy. The fact that competing labs (Google and OpenAI) are co-chairing alongside payment networks (Visa and Mastercard) was widely read as a sign that no single vendor wants to own the spec — a deliberate echo of the original FIDO2/WebAuthn coalition.
What This Means for Developers
Nothing breaks today. The working groups are at the charter-and-draft stage and have not yet published normative specifications. But teams shipping agent integrations should plan for two changes within 12–18 months: a FIDO-blessed delegated-authentication primitive that sits next to passkeys, and an agent-payment authorisation flow that wraps existing card-network rails rather than replacing them. Anyone already building on Google's AP2 reference is in the best starting position, since AP2 is now the seed of the official spec; teams that built bespoke OAuth-style agent flows should expect to migrate.
What's Next
The FIDO Alliance has not published a public timeline for first drafts, but historical precedent — FIDO2 went from charter to candidate spec in roughly 18 months — suggests early implementer drafts in late 2026 or early 2027. Google's Agent Payments Protocol blog post and the official FIDO Alliance announcement are the canonical starting points for developers who want to track the work.
Sources
- FIDO Alliance — official press release — primary announcement of both working groups, chairs, and contributors.
- Google Pay blog — Donating AP2 to the FIDO Alliance — Google's own framing of the AP2 contribution.
- Help Net Security — security-focused analysis of the standards push.
- Biometric Update — OpenAI joins FIDO Alliance — confirms OpenAI's membership and role.
- PYMNTS — payments-industry framing of Google and Mastercard's contributions.
- ID Tech Wire — identity-industry coverage with chair and vice-chair details.
Stay up to date with Doolpa
Subscribe to Newsletter →