SPC Task Force

08 November 2021


Anne Pouillard (Worldline), Christian Aabye (Visa), Clinton Allen (American Express), Doug Fisher (Visa), Jeff Hodges (Google), John Bradley (Yubico), Michel Weksler (Airbnb), Praveena Subrahmanyam (Airbnb), Ryan Watkins (Mastercard), Sameer Tare (Mastercard), Stephen McGruer (Google), Ian Jacobs (W3C)

Meeting minutes

What are requirements when more than one SPC credential matches?

Stephen: Today in the implementation we accept the first credential that matches.
… WebAuthn as a model also views as a decreasing order of pref
… but they expect prompting of the user to pick the first one they like

John_Bradley: authenticators in CTAP will choose the "most recently created credential" of the allow list.

Ian: Is the goal "get one back however that is determined"?

John_Bradley: Nothing in allow list causes a list to be showing in CTAP
… nothing about credential IDs says "This is your blue authenticator"

<Zakim> SameerT, you wanted to say Ian, can you please run through the problem statement/scenario again

Doug: From a 3DS perspective it would be great if credentials were shown and nothing else.
… let's say SPC use case

Stephen: There are two levels: "Multiple authenticators are available" ...may want to ask the user to pick one.
… when credentials are from the same authenticator...the authenticator picks the most recent one.

<Zakim> smcgruer_[EST], you wanted to ask John to clarify behavior in CTAP vs "WebAuthn Authenticator Model" section of WebAuthn

John_Bradley: WebAuthn pretty much always shows you a dialog.

John_Bradley: The platform authenticator will give you list of credentials it has and an option to use a roaming authenticator.l
… lots of innovation in this space

IJ: Summary:

- When multiple authenticators, should user pick one?

- When multiple credential IDs for the same authenticator, implementation detail how one is chosen.

John_Bradley: Authenticator might show a pick list
… platform authenticators typically do a user verification before they present a pick list

smcgruer_[EST]: In case where user has one matching platform, the only issue I see is how the browser/OS presents option to plug in a roaming authenticator

IJ: should we have requirements?

John_Bradley: If there is an allow list you'll get back one (per CTAP). Windows shows a choosers

Ian: Could we just say "it's up to the implementation to get to 1, and it's an implementation detail?"

John_Bradley: What is the expectation about sequencing of uX?
… do you silently probe and then go back and do a get() with one credential id?

Stephen: The latter.

1) Browser receives a list of credential IDs.

2) Can ask (in the future) whether the platform authenticator knows it (Conditional UI)

3) our "no match" dialog could be extended to ask user to plug in roaming authenticator

John_Bradley: As long as we say credentials are created with cred protect levels 0 or 2
… at level 2, you need the credential ID
… at level 0, there's no privacy as long as the rpid is known
… Chrome currently uses cred level 2 for discoverable
… assuming you had, say, a Yubikey, Chrome could iterate over credentials with user presence 0, user verified 0 to determine whether available before user is prompted
… there's also an NFC use case where user needs to do a tap operation then they might need a dialog
… may be ok to only present "roaming" option if there's no platform credential available

Stephen: Good question.

John_Bradley: I think in most cases, you'd proceed with the platform authenticator if the issuer has provisioned it

Stephen: I'd be happy to punt to WebAuthn. The WebAuthn implementation could go ahead to resolve it.

Doug: Great discussion. We do have questions on 3DS side re: UX
… we should allow the RP to create more than one credential (may be done at PAN level rather than identity level)
… could the OS give an option to insert a roaming authenticator, and if the used it, could the assertion fail if there was no credential...would the RP know?

John_Bradley: That could not happen if you are using an allow list

John_Bradley: The list of credential ids doesn't tell you about which authenticator (platform or roaming) or if on this machine or not

JeffH: Doug brings up a key question - the data model.
… the data model needs to get decided
… if I understood correctly, it's whether the issuer is mapping the credentials to accounts or instruments.

John_Bradley: If you have one credential per PAN, where does WEbAuthn get info it will present.

Stephen: We don't do instrument selection; the merchant (and account provider) have chosen the instrument before SPC is called

John_Bradley: The answer to the question is "one response". We may want to clarify "what goes in the user id" and we could help avoid a pick list.

Stephen: At registration time, the RP should "be consistent"

John_Bradley: Yes, the RP should be consistent at registration time, otherwise there might be some UX issue.

ACTION: Ian to follow up with Stephen about next steps.

Next meeting

15 Nov. And we may push SPC topics to 18 Nov WPWG call since we have a lot.

Minutes manually created (not a transcript), formatted by scribe.perl version 159 (Fri Nov 5 17:37:14 2021 UTC).