Recently launched: WebAuthn Adoption CG
adrianHB: I am updating the text still, but have pushed a flow diagram.
AdrianHB: This is a proposal to
enhance the payment sheet
... FIDO has a concept of transaction confirmation
... option for more security thanks to display by client /
platform
... webauthn extensions related to transaction confirmation are
not implemented
... so the proposal is to combine info from PR API into
WebAuthn
[We walk through flow]
1. PR API constructor
2. Use of canMakePayment to determine whether payment handler can provide a public key.
3. Show()
4. Payment handler selector comes up with transaction details
5. Within the payment handler, because the merchant has requested built-in auth experience, window.open not available. Payment handler gets a challenge from server.
6. Payment handler calls some version of get() in the special proposed payment handler context
Adrian: in this special context,
the browser knows to add this transaction info from the PR
context into the client data passed to the authenticator
... Webauthn internal method called
7. User prompted to authenticate
Adrian: and they are also shown transaction details.
8. Credential returned to payment handler, which can be given to merchant.
9. That signed credential is all that's needed to get paid.
Adrian: The account holder receives a signed assertion that the user agrees to the transaction.
Gerhard: Some discussion in
Europe about the merchant doing banking-grade
authentication
... and they want the merchant to be able to pass a credential
to the merchant
... if we could conform to that payload, then there is already
a way to pass that credential to 3DS
AdrianHB: We could propose this
as a secure way for the user to get a credential from an
account holder and pass to a merchant.
... and payment systems could adopt that as one way to
authenticate.
... so merchant could submit this retrieved credential to the
ACS.
... one challenge with the proposal that the issuing bank mint
a credential per merchant is that it doesn't scale well across
sites.
[We see a recorded demo]
AdrianHB: This UI is rendered by
the client.
... this particular demo is not (yet) FIDO
... probably will include as well the origin of the
beneficiary
... the relying party in this case is the wallet
... working with Chrome on this "minimal UI"
... for payment handlers.
... None of the UI comes from the payment handler (except for
the icon)
... so this is WebAuthn + no UI...helps trust "what the user
saw" since all done by the client and not by the site
... advantage is consistency across the web since the UX is
from the platform, not the site
... another advantage is, as a relying party, you don't need to
write code! You just write a 5-line service worker that says
"do webauthn and pass results to merchant"
... this is simpler for parties to do and maintain
IJ: What exists in chrome today?
AdrianHB: You can get the minimal
UI in Canary on Android
... but it's not FIDO..just a presence check
IJ: When do we get FIDO?
AdrianHB: That's a bigger question; need to get the proposal in shape to understand full impact, especially on platform authenticators
AdrianHB: I am still learning about WebAuthn details and getting feedback from people.
btidor: Does this mean that you are adopting Dirk's proposal to hash ?
AdrianHB: Whatever browser needs
to do so that the prompt can show the total, beneficiary
... not sure if you need to pass details to FIDO server or can
combine afterwards.
btidor: Seems like we have 2 separate proposals:
- Dirk's proposal for PISPs
- This proposal for non-PISPs.
btidor: It would be great to
consider if the payment handler is a PISP
... I think your proposal can satisfy the PISP use case equally
well.
AdrianHB: I think Dirk's proposal speaks more to enrollment
btidor: If the payment handler is
written by a third party helping an issuer get online...how do
people trust the third party?
... I think that there are parallels with signing browser
data
... and that will have a material difference on challenge and
separate field
... see my comment on issue #1.
AdrianHB: Thanks!
13 May
