Meeting minutes
Cross-origin Web Authen
Web Authentication issue on Cross origin authentication without iframes.
John_Bradley: I've not yet expanded on the WebAuthn thread.
… not yet everyone on board about using userid.
… the other approach is two namespaces for rpid
smcgruer_[EST]: Interesting question - how would we resolve this one way or another.
John_Bradley: Implementer buy-in affects implementation
Gerhard: One of the most prolific publishers of data on SCA is from a browser vendor
… maybe we could arrange for a discussion
Ian: What data do we have?
Gerhard: EU said you have to do 2 factor for payments and for login
… it's valuable to have fewer registrations from a ux experience
… we've seen in the banking app and GSM environment value of using same token for both use cases
Doug: Regarding resolving this. Although I can't speak for EMVCo, might be a channel for gathering information about bank requirements. I could raise this in 3DS WG so that members can raise it internally
… I think registration of credentials is a difficult area for us to solve, and I think banks would want to leverage existing investments.
… I think they would definitely prefer an environment where credentials could be used in both use cases.
John_Bradley: The question is: there is nothing that stops an authentication from also being an SPC credential, but the SPC credential only works with the issuer's origin
… but what we are discussing is what happens when you want to use these credential from 3p origins
Doug: I think that RPs will want to use SPC credentials for login
… in a 1p context
Gerhard: I expect that the flow will be: (1) register for login (2) register for payments from 1p (3) Register for 3p SPC
… in FAPI flow, there will be full redirect to bank domain.
… even there again, it's a 1p context
… 3DS is really the only environment that involves 3p auth
John_Bradley: The two proposals are the same as to whether the bank can use it.
… we also to consider the "no allow" use case
smcgruer_[EST]: I would like to hear from our partners who are experimenting to see whether "register for login" is the first use case we'll see.
… I would speculate that if you are looking at a case, for example, where a PSP is doing delegated authentication, the PSP might do SPC as the RP.
Gerhard: Merchants ALSO want to use FIDO for both login and payment
<Gerhard> question: Could we look at the Microsoft counter proposal, and it's implications?
IJ: another approach is making N registrations easier.
John_Bradley: There is a concept of user verification caching; but not implemented.
… there is practically a requirement for some user action for registration
… that could change but would be a large change to the infrastructure
Jeff_Hodges: I am hearing the concern is "How many use gestures are required to acquire enough credentials to satisfy the use cases."
John_Bradley: Yes, I hear that is what Ian is trying to say.
… that's called user verification caching but there are no instances of that that I know of
Gerhard: If MS is proposing an alternative, have we reviewed that?
John_Bradley: I am not sure there's an alternative (to "other namespace" approach)
Doug: I think there is a use case where SPC credentials would be created first and extended after to login id.
… we don't want user to have to select from a list of valid credentials.
… don't want to move friction from credential creation to payment transaction.
John_Bradley: Question is "Why should WebAuthn allow dual use of a cross-origin credential?"
Next meeting
6 Dec