W3C

SPC task force

29 November 2021

Attendees

Present
Anne Pouillard (Worldline), Christian Aabye (Visa), Doug Fisher (Visa), Gerhard Oosthuizen (Entersekt), Ian Jacobs (W3C), Jeff Hodges (Google), John Bradley (Yubico), Stephen McGruer (Google), Susan Pandy (Discover), Werner Bruinings (American Express)
Regrets
Adrian Hope-Bailie, Praveena Subrahmanyan
Chair
Ian
Scribe
Ian

Meeting minutes

Cross-origin Web Authen

Web Authentication issue on Cross origin authentication without iframes.

John_Bradley: I've not yet expanded on the WebAuthn thread.
… not yet everyone on board about using userid.
… the other approach is two namespaces for rpid

smcgruer_[EST]: Interesting question - how would we resolve this one way or another.

John_Bradley: Implementer buy-in affects implementation

Gerhard: One of the most prolific publishers of data on SCA is from a browser vendor
… maybe we could arrange for a discussion

Ian: What data do we have?

Gerhard: EU said you have to do 2 factor for payments and for login
… it's valuable to have fewer registrations from a ux experience
… we've seen in the banking app and GSM environment value of using same token for both use cases

Doug: Regarding resolving this. Although I can't speak for EMVCo, might be a channel for gathering information about bank requirements. I could raise this in 3DS WG so that members can raise it internally
… I think registration of credentials is a difficult area for us to solve, and I think banks would want to leverage existing investments.
… I think they would definitely prefer an environment where credentials could be used in both use cases.

John_Bradley: The question is: there is nothing that stops an authentication from also being an SPC credential, but the SPC credential only works with the issuer's origin
… but what we are discussing is what happens when you want to use these credential from 3p origins

Doug: I think that RPs will want to use SPC credentials for login
… in a 1p context

Gerhard: I expect that the flow will be: (1) register for login (2) register for payments from 1p (3) Register for 3p SPC
… in FAPI flow, there will be full redirect to bank domain.
… even there again, it's a 1p context
… 3DS is really the only environment that involves 3p auth

John_Bradley: The two proposals are the same as to whether the bank can use it.
… we also to consider the "no allow" use case

smcgruer_[EST]: I would like to hear from our partners who are experimenting to see whether "register for login" is the first use case we'll see.
… I would speculate that if you are looking at a case, for example, where a PSP is doing delegated authentication, the PSP might do SPC as the RP.

Gerhard: Merchants ALSO want to use FIDO for both login and payment

<Gerhard> question: Could we look at the Microsoft counter proposal, and it's implications?

IJ: another approach is making N registrations easier.

John_Bradley: There is a concept of user verification caching; but not implemented.
… there is practically a requirement for some user action for registration
… that could change but would be a large change to the infrastructure

Jeff_Hodges: I am hearing the concern is "How many use gestures are required to acquire enough credentials to satisfy the use cases."

John_Bradley: Yes, I hear that is what Ian is trying to say.
… that's called user verification caching but there are no instances of that that I know of

Gerhard: If MS is proposing an alternative, have we reviewed that?

John_Bradley: I am not sure there's an alternative (to "other namespace" approach)

Doug: I think there is a use case where SPC credentials would be created first and extended after to login id.
… we don't want user to have to select from a list of valid credentials.
… don't want to move friction from credential creation to payment transaction.

John_Bradley: Question is "Why should WebAuthn allow dual use of a cross-origin credential?"

Next meeting

6 Dec

Minutes manually created (not a transcript), formatted by scribe.perl version 159 (Fri Nov 5 17:37:14 2021 UTC).