FIDO Alliance Moves to Secure AI Agents Before Shopping Chaos Hits

PAYMENTS CANNOT BECOME AUTOPILOT FOR FRAUD

AI agents can already book flights, order food, and manage subscriptions, but payment is where a neat demo becomes a financial risk. If an agent gets card access without a narrow cryptographic trail, a compromised account is no longer just a security incident. It becomes a direct route to someone else's money.

Wired explains why the FIDO Alliance is forming working groups for agent-driven payments with Google and Mastercard involved. The goal is not to trust agents because they sound helpful. It is to make every transaction carry proof of who approved it, what was approved, and where the permission ends.

That distinction matters. A saved card or password gives an agent too much room. Passkey-style authorization and selective disclosure can support a narrower model: an agent may buy a specific ticket, under a specific limit, from a specific merchant, without exposing a full identity or permanent card access.

STANDARD BEFORE CHAOS

FIDO is trying to do what the industry did too late with passwords: define minimum security infrastructure before bad patterns become normal. If agents become everyday shoppers, merchants, banks, and browsers will need to separate legitimate delegation from stolen tokens and manipulated users.

Google and Mastercard matter because a standard that never enters real payment rails is just a policy memo. The practical test is not whether an agent can buy socks. It is whether the system can later prove that the agent stayed inside the permission it was given.

This is not an argument that AI agents should never spend money. It is an argument that every autonomous transaction needs a chain of accountability. Without that, the "smart agent" is just a smoother interface for an old scam.