W3C

Web Payments WG

28 September 2023

Attendees

Present
Clinton Allen (American Express), Doug Fisher (Visa), Fahad Saleem (Mastercard), Ian Jacobs (W3C), Jean-Michel Girard (Worldline), Jeff Owenson (Discover), John Bradley (Yubico), Nick Telford-Reed, Olivier Maas (Worldline), Soumya Chakrabarty (JCB), Steve Cole (Merchant Advisory Group), Tomasz Blachowicz (Mastercard)
Regrets
Arman Aygen
Chair
Nick
Scribe
Ian, nicktr

Meeting minutes

TPAC recap

Minutes from TPAC: 11 Sep, 12 Sep

NickTR: With my chair hat on, overall success. Lots of participants in person and remote (though sound quality was not great).

NickTR: Genuine enthusiasm in sessions and in hallways. Some people may be aware that there was a small COVID outbreak (despite good mask wearing)

NickTR: Seville is a magnificent city.

NickTR: In terms of content, the highlight was seeing the results of experimentation from Stripe, Modirum, Netcetera, Visa...the fact that there was a list of findings was very exciting.

NickTR: I think it's clear from the findings (especially from Stripe) that they landed on quantitative findings similar to their first pilot.
… there's real benefit of SPC for latency (3x faster compared to OTP) and in terms of authentication success.
… but there remain challenges both to get users to register, and to get users to repeat the experience. Because it's new and changing user behaviors around payments is challenging.
… we also heard in the latest Stripe findings that vanilla WebAuthn had a better success rate than SPC. Although Stripe did not offer a definitive analysis for why that was the case, there speculation (also supported by other conversations that week) was that, in an SPC experience the two pop-ups -- transaction dialog then OS dialog -- involved some friction, such as an extra click.
… we started to discuss, for example, whether the dialogs might be merged.
… Visa pointed out the UX is different on different platforms
… involving different labels, different language, and that that was causing some confusing for the user.
… even if we cannot specify UX (because our charter) it was valuable to talk about user journeys and we should continue to do so
… we had a joint discussion with Web Authn WG and the WebAuthn adoption CG
… the adoption CG's work was really interesting. It's clear to me that SPC represents a step forward in authentication during payments, but we have a mountain to climb to increase awareness with issuers and the broader community.
… I think we need to be doing more to raise awareness.
… do WG participants have views on how we might do so?
… e.g., a new CG dedicated to that? a task force in this WG? via the WPSIG?
… should we be relying on the companies who are participating in the groups?
… by the platform providers? by EMVCo?
… or some combination of all of the above?

IJ: John, any thoughts on marrying the dialogs?

John: I was not in the payments meetings, so did not participate in that discussion. There might be different solutions; it would depend on how SPC is specified and how it is implemented against WebAuthn.
… it might be that the implementation layering doesn't communicate the consent from one to the other.
… it could be a specification issue or an implementation issue.

NickTR: Another topic is whether more of SPC should be pushed into Web Authn. And what will happen after WebAuthn L3?
… I have been wondering whether one of the ways we might get better alignment between SPC/WebAuthn is if more SPC were pushed to WebAuthn

John: I think that's a plausible idea

NickTR: There was an excitement about an SPC-style experience beyond the browser
… so getting closer to native via FIDO is also somewhat interesting

<tomasz> I believe the discussion somehow relates to old issue we have on Github: w3c/secure-payment-confirmation#56

John: I think there's more that could make its way into WebAuthn

tomasz: This UX topic is very important
… the fact that we have the two dialogs is cumbersome

tomasz: There are two surfaces to the discussion
… could be about implementation of SPC
… could also be about alignment WebAuthn with SPC
… this also relates to SPC-in-PR-API...and it may make more sense to ground SPC in WebAuthn
… but what's important to us is the UX more than the API surface

John: If there were an extension to WebAuthn for the SPC dialog, perhaps the number of dialogs could be compressed.

<Fahad> And also the capability for a third party to trigger authentication

John: There's probably a fair amount of work to do that. Who is going to be displaying the transaction dialog?
… there's a separation between the platform providers and the pluggable passkey providers. We'd need to sort out who is doing what and trust boundaries.
… but i think that's work worth doing.
… if we want participation of FIDO folks in WPSIG; need to reschedule the meetings.

NickTR: In terms of work product that this WG should do, I think this conversation about aligning webauthn and SPC, and figuring out how to have the discussion about UX and user journey while remaining in our charter scope, and figuring out how to drive adoption...those are the major topics for me.

NickTR: We did hear about the future a bit. For example, Rouslan talked about the payment links proposal.
… Gerhard presented some non-payment use cases for SPC (e.g., storing payment credentials)
… that's an increasingly important use case for both merchants and device / wallet provisioning.
… On the Payment Request front, Google and Apple both want to add addresses back to the spec.
… in short, I was excited by the pilots, by the breadth of participation
… thanks to all the presenters from the meeting!
… it was create to have Netflix at the meeting; the voice of the merchant is so important.
… and we should be thinking more about whether we can get more participation by Apple-as-merchant and google-as-merchant.

Ian: Good to have a list of things we should be doing to get to next level:

* UX feedback => changes in implementation

* More browser support

* Developer documentation

* IANA extension registration (done)

* Pilots and good data

* Outreach

* Support in protocols

* More documentation?

Ian: That's a partial list of ideas

Clinton: On the UX feedback... what precedence is there in W3C about UX guidance?

IJ: Traditionally specs don't prescribe UX, but there is room to talk about user journeys and provided data to APIs.

John: The underlying WebAuthn UX is different on different platforms.
… what may be annoying users is that the WebAuthn UX is different on each system.
… WebAuthn WG similarly doesn't tell OS's how to do their dialogs
… I think browser may be able to do more to get cross-OS consistency for the SPC portion of UX

IJ: I think there are fewer implementers here, and they are strongly motivated by pilot feedback to fix UX; I think that is potentially more powerful than guidelines.

NickTR: yes, Doug++ for his UX presentation

John: We also need to keep an eye on the changes to WebAuthn that are happening, such as pluggable providers
… e.g., on MacOs or Windows, if you are using Chrome and having a password manager installed, the password manager may "take over"
… small number of UX people today, but it will be increasing
… credentials in password managers aren't available (at least now) via the credential listing APIs.
… we need people to understand that APIs that password managements can plug into need to also make affordances for SPC.

ACTION: John to raise an SPC issue related to pluggable passkey provider APIs (done as issue 260)

Clinton: UX is becoming the obvious hurdle for adoption (for many different specifications, not just W3C)
… it's one experience from the consumer perspective; even if there are different responsible parties working together

<tomasz> +1 for the UX workshop

IJ: Should we do a UX Workshop on payments?

Clinton: +1 ; good to speak with one voice

Doug: +1

Next meeting

Next meeting 12 October

Summary of action items

  1. John to raise an SPC issue related to pluggable passkey provider APIs
Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).