W3C

3DS Task Force

26 Sep 2018

Agenda

Attendees

Present
Ian Jacobs (W3C), Rouslan Solomakhin (Google), Jonathan Grossar (MC), Brian Piel (MC), Ken Mealey (Amex)
Chair
Ian
Scribe
Ian

Contents

<scribe> Scribe: Ian

Auth session at TPAC

Ian goes through: https://www.w3.org/2018/Talks/ij_tpac_auth/#14

Brian: The approach makes sense. Standardized data set makes sense for 3DS.
... having consistency coming from browsers makes sense

IJ: From 3DS perspective, an improvement could be method_url implementation using a new browser API

Brian: That approach is how it's done in native.

IJ: Yes, part of goal is to get standardized data.

Brian: Feedback from industry on standardized device idea was risk of spoofing
... The end goal is to have enough information to make a risk assessment
... the information being browser-based, there are things that are generically available (6 or 7 high-level data points)
... those have some relevance but don't tell the whole store
... if there were a way to get attestation about the data, that would be helpful.
... knowing same browser + user would be relevant
... but additional context useful ("e.g., same browser in a different country")
... good signal to have server vouch for data

Rouslan: Google would either essentially trust the browser or not
... that's as far as we have thought through this
... we could also think about providing a "level of confidence"
... but at a certain level of confidence we would stop talking to the browser entirely, and the browser could not contact the google server to get a score
... so essentially the only possible value you could get from google is "99%" or "100%" ...which is not very useful

Brian: there are multiple signals. One signal like "trusted browser" is relevant

Rouslan: have a look at https://github.com/w3c/webpayments/wiki/DeviceDataAPI

Brian: I think the end game is to unify browser and in-app scenarios.
... One reason auth may not be good enough is that it's only as good as the initial enrollment (ID&V)

Jonathan: Two use cases (1) user does not have FIDO authenticator (2) ID&V is not done well

Brian: Summary - get relevant data, consistent data, low friction user experience

Ken/Brian: Fraud is like water

IJ: I would like input on:

- the slide deck https://www.w3.org/2018/Talks/ij_tpac_auth/

- This proposal: https://github.com/w3c/webpayments/wiki/DeviceDataAPI

- Any other written down proposals for how the browser could provide relevant, standardized, and trusted signals for risk analysis.

next meeting

3 October (regularly scheduled) call

IJ: If we don't have feedback at that time, we'll postponed until TPAC

Jonathan: Let's meet in 2 weeks instead.

Ian: I am at risk
... let's aim for 3 October and if not, then schedule a week later

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2018/09/26 16:14:18 $