15:52:58 RRSAgent has joined #wpwg 15:53:02 logging to https://www.w3.org/2024/09/23-wpwg-irc 15:53:03 Meeting: Web Payments Working Group 15:53:06 Chair: NickTR 15:53:08 Scribe: Ian 15:53:25 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2024 15:54:10 westin has joined #wpwg 15:54:12 agl has joined #wpwg 15:54:12 nsiskov has joined #wpwg 15:54:44 Christian has joined #wpwg 15:54:50 jthomas has joined #wpwg 15:55:04 present+ 15:55:06 present+ 15:55:17 present+ 15:55:18 present+ 15:55:19 present+ 15:57:30 vkuntz has joined #wpwg 15:57:42 present+ 15:57:46 present+ 15:59:02 Jeff has joined #wpwg 15:59:43 Takashi has joined #wpwg 16:00:49 Takashi has joined #wpwg 16:00:49 Jeff has joined #wpwg 16:00:49 vkuntz has joined #wpwg 16:00:49 jthomas has joined #wpwg 16:00:49 Christian has joined #wpwg 16:00:49 nsiskov has joined #wpwg 16:00:49 agl has joined #wpwg 16:00:49 westin has joined #wpwg 16:00:49 Gerhard has joined #wpwg 16:01:49 zakim, who is here? 16:01:49 Present: Ian, benoit__, rbyers, agl, jthomas, vkuntz, jets 16:01:51 On IRC I see RRSAgent, Zakim, benoit__, jets, TallTed, pea1358, canton, benoit, Ian, dlehn1, tobie_, nicktr, rbyers, hadleybeeman, ljharb, slightlyoff, smcgruer_[EST], rouslan, 16:01:51 ... hober 16:01:52 Sue has joined #wpwg 16:01:52 nick_s has joined #wpwg 16:01:52 HennaKapur has joined #wpwg 16:01:52 Takashi has joined #wpwg 16:01:52 Jeff has joined #wpwg 16:01:52 vkuntz has joined #wpwg 16:01:52 jthomas has joined #wpwg 16:01:52 Christian has joined #wpwg 16:01:52 nsiskov has joined #wpwg 16:01:52 agl has joined #wpwg 16:01:52 westin has joined #wpwg 16:01:52 Gerhard has joined #wpwg 16:01:53 present+ 16:01:54 present+ 16:01:56 present+ 16:02:15 I have made the request to generate https://www.w3.org/2024/09/23-wpwg-minutes.html Ian 16:02:27 zakim, who's here? 16:02:27 Present: Ian, benoit__, rbyers, agl, jthomas, vkuntz, jets, HennaKapur, westin, smcgruer_[EST] 16:02:29 On IRC I see RRSAgent, Zakim, benoit__, jets, TallTed, pea1358, canton, benoit, Ian, dlehn1, tobie_, nicktr, rbyers, hadleybeeman, ljharb, slightlyoff, smcgruer_[EST], rouslan, 16:02:29 ... hober 16:02:32 present+ JonathanG 16:02:44 present+ Nako 16:03:12 FahadMastercard has joined #wpwg 16:03:12 doug has joined #wpwg 16:03:12 Hari_PayPal has joined #wpwg 16:03:12 timcappalli9 has joined #wpwg 16:03:12 Helen has joined #wpwg 16:03:12 Sue has joined #wpwg 16:03:12 nick_s has joined #wpwg 16:03:12 HennaKapur has joined #wpwg 16:03:12 Takashi has joined #wpwg 16:03:12 Jeff has joined #wpwg 16:03:12 vkuntz has joined #wpwg 16:03:12 jthomas has joined #wpwg 16:03:12 Christian has joined #wpwg 16:03:12 nsiskov has joined #wpwg 16:03:12 agl has joined #wpwg 16:03:12 westin has joined #wpwg 16:03:12 Gerhard has joined #wpwg 16:04:15 Jonathan has joined #wpwg 16:04:15 FahadMastercard has joined #wpwg 16:04:15 doug has joined #wpwg 16:04:15 Hari_PayPal has joined #wpwg 16:04:15 timcappalli9 has joined #wpwg 16:04:15 Helen has joined #wpwg 16:04:15 Sue has joined #wpwg 16:04:15 nick_s has joined #wpwg 16:04:15 HennaKapur has joined #wpwg 16:04:15 Takashi has joined #wpwg 16:04:15 Jeff has joined #wpwg 16:04:15 vkuntz has joined #wpwg 16:04:15 jthomas has joined #wpwg 16:04:15 Christian has joined #wpwg 16:04:15 nsiskov has joined #wpwg 16:04:15 agl has joined #wpwg 16:04:15 westin has joined #wpwg 16:04:15 Gerhard has joined #wpwg 16:04:15 maximeg has joined #wpwg 16:04:27 Topic: Housekeeping 16:05:20 aki has joined #wpwg 16:05:20 melissavs has joined #wpwg 16:05:20 KennethDiaz has joined #wpwg 16:05:20 Wade has joined #wpwg 16:05:20 aprotyas has joined #wpwg 16:05:20 SameerT has joined #wpwg 16:05:20 JeanLuc has joined #wpwg 16:05:20 maximeg has joined #wpwg 16:05:20 Jonathan has joined #wpwg 16:05:20 FahadMastercard has joined #wpwg 16:05:20 doug has joined #wpwg 16:05:20 Hari_PayPal has joined #wpwg 16:05:20 timcappalli9 has joined #wpwg 16:05:20 Helen has joined #wpwg 16:05:20 Sue has joined #wpwg 16:05:20 nick_s has joined #wpwg 16:05:20 HennaKapur has joined #wpwg 16:05:20 Takashi has joined #wpwg 16:05:20 Jeff has joined #wpwg 16:05:20 vkuntz has joined #wpwg 16:05:20 jthomas has joined #wpwg 16:05:20 Christian has joined #wpwg 16:05:20 nsiskov has joined #wpwg 16:05:20 westin has joined #wpwg 16:05:20 Gerhard has joined #wpwg 16:05:20 present+ 16:05:22 present+ 16:05:25 present + 16:05:38 NickTR: Welcome to Anaheim, land of the mouse 16:05:47 present+ Hari 16:05:58 present+ Iren 16:06:09 s/Iren/Iris Ren 16:06:13 present+ Sameer 16:06:20 present+ Sahranya 16:06:23 present+ Akshay 16:06:29 present+ Vanitha 16:06:35 present+ Kavya Ramesh 16:06:41 present+ Janatarajan 16:06:41 kavramesh has joined #wpwg 16:06:41 aki has joined #wpwg 16:06:41 melissavs has joined #wpwg 16:06:41 KennethDiaz has joined #wpwg 16:06:41 Wade has joined #wpwg 16:06:41 aprotyas has joined #wpwg 16:06:41 SameerT has joined #wpwg 16:06:41 JeanLuc has joined #wpwg 16:06:41 maximeg has joined #wpwg 16:06:41 Jonathan has joined #wpwg 16:06:41 FahadMastercard has joined #wpwg 16:06:41 doug has joined #wpwg 16:06:41 Hari_PayPal has joined #wpwg 16:06:41 timcappalli9 has joined #wpwg 16:06:41 Helen has joined #wpwg 16:06:41 Sue has joined #wpwg 16:06:41 nick_s has joined #wpwg 16:06:41 HennaKapur has joined #wpwg 16:06:41 Takashi has joined #wpwg 16:06:41 Jeff has joined #wpwg 16:06:41 vkuntz has joined #wpwg 16:06:41 jthomas has joined #wpwg 16:06:41 Christian has joined #wpwg 16:06:41 nsiskov has joined #wpwg 16:06:41 westin has joined #wpwg 16:06:41 Gerhard has joined #wpwg 16:07:15 Present+ Sidd 16:07:19 present+ Jayadevi 16:07:24 present+ Rouslan 16:07:34 present+ Pablo 16:07:52 leecam has joined #wpwg 16:07:52 kavramesh has joined #wpwg 16:07:52 aki has joined #wpwg 16:07:52 melissavs has joined #wpwg 16:07:52 KennethDiaz has joined #wpwg 16:07:52 Wade has joined #wpwg 16:07:52 aprotyas has joined #wpwg 16:07:52 SameerT has joined #wpwg 16:07:52 JeanLuc has joined #wpwg 16:07:52 maximeg has joined #wpwg 16:07:52 Jonathan has joined #wpwg 16:07:52 FahadMastercard has joined #wpwg 16:07:52 doug has joined #wpwg 16:07:52 Hari_PayPal has joined #wpwg 16:07:52 timcappalli9 has joined #wpwg 16:07:52 Helen has joined #wpwg 16:07:52 Sue has joined #wpwg 16:07:52 nick_s has joined #wpwg 16:07:52 HennaKapur has joined #wpwg 16:07:52 Takashi has joined #wpwg 16:07:52 Jeff has joined #wpwg 16:07:52 vkuntz has joined #wpwg 16:07:52 jthomas has joined #wpwg 16:07:52 Christian has joined #wpwg 16:07:52 nsiskov has joined #wpwg 16:07:52 westin has joined #wpwg 16:08:04 present+ John_Bradley 16:08:53 lambdakata3 has joined #wpwg 16:09:17 liucougar has joined #WPWG 16:09:30 liucougar has joined #wpwg 16:09:30 lambdakata3 has joined #wpwg 16:09:30 leecam has joined #wpwg 16:09:30 kavramesh has joined #wpwg 16:09:30 aki has joined #wpwg 16:09:30 melissavs has joined #wpwg 16:09:30 KennethDiaz has joined #wpwg 16:09:30 Wade has joined #wpwg 16:09:30 aprotyas has joined #wpwg 16:09:30 SameerT has joined #wpwg 16:09:30 JeanLuc has joined #wpwg 16:09:30 maximeg has joined #wpwg 16:09:30 FahadMastercard has joined #wpwg 16:09:30 doug has joined #wpwg 16:09:30 Hari_PayPal has joined #wpwg 16:09:30 timcappalli9 has joined #wpwg 16:09:30 Helen has joined #wpwg 16:09:30 Sue has joined #wpwg 16:09:30 nick_s has joined #wpwg 16:09:30 HennaKapur has joined #wpwg 16:09:30 Takashi has joined #wpwg 16:09:30 Jeff has joined #wpwg 16:09:30 jthomas has joined #wpwg 16:09:30 Christian has joined #wpwg 16:09:30 nsiskov has joined #wpwg 16:09:30 westin has joined #wpwg 16:09:57 present+ Melissa_Sebastian 16:10:08 present+ Wade_Jensen 16:10:15 present+ Doug_Fisher 16:10:25 present+ Noormina_Abuthahir 16:10:43 Gerhard has joined #wpwg 16:10:43 liucougar has joined #wpwg 16:10:43 lambdakata3 has joined #wpwg 16:10:43 leecam has joined #wpwg 16:10:43 kavramesh has joined #wpwg 16:10:43 aki has joined #wpwg 16:10:43 melissavs has joined #wpwg 16:10:43 KennethDiaz has joined #wpwg 16:10:43 Wade has joined #wpwg 16:10:43 aprotyas has joined #wpwg 16:10:43 SameerT has joined #wpwg 16:10:43 JeanLuc has joined #wpwg 16:10:43 maximeg has joined #wpwg 16:10:43 FahadMastercard has joined #wpwg 16:10:43 doug has joined #wpwg 16:10:43 Hari_PayPal has joined #wpwg 16:10:43 timcappalli9 has joined #wpwg 16:10:43 Helen has joined #wpwg 16:10:43 Sue has joined #wpwg 16:10:43 nick_s has joined #wpwg 16:10:43 HennaKapur has joined #wpwg 16:10:43 Takashi has joined #wpwg 16:10:43 Jeff has joined #wpwg 16:10:43 jthomas has joined #wpwg 16:10:43 Christian has joined #wpwg 16:10:43 nsiskov has joined #wpwg 16:10:43 westin has joined #wpwg 16:15:09 topic: Fraud Trends 16:15:36 q? 16:15:58 vkuntz has joined #wpwg 16:16:09 present+ 16:16:12 gerhard: We'll start with discussion of fraud trends and what we might do to enhance the web to help 16:19:19 present+ Brian_McManus 16:19:29 present+ Takashi_Minamii 16:19:35 present+ Nick_Telford-Reed 16:23:03 Gerhard: One observation from UK fraud stats that's of note is growth of fraud from authorized push payments. 16:28:15 ...48B USD in fraud worldwide in 2023 16:28:20 ...up from 41B USD 16:28:25 kavramesh has joined #wpwg 16:33:06 q? 16:33:38 Gerhard: Americans lost 5.6B USD to crypto-related fraud in 2023 (according to FBI) 16:33:52 ...the phenomenon is global. 16:34:09 q: do you observe a correlation, in practice, between Large-scale data breaches and Identity theft fraud? 16:35:22 Gerhard: Can we detect links coming from SMS's? Phone numbers? 16:36:08 Maxime: Do you observe a correlation, in practice, between Large-scale data breaches and Identity theft fraud? 16:36:09 liucougar has joined #WPWG 16:36:23 Gerhard: Credential stuffing is a large attack. 16:36:28 Jonathan has joined #wpwg 16:36:31 Jayadevi9 has joined #wpwg 16:36:35 ...if there's a breach, the info is often used for social engineering 16:36:38 Vanitha7 has joined #wpwg 16:36:44 ...there's a lot of work being done in that space 16:37:23 Akshay has joined #wpwg 16:37:24 Sid has joined #WPWG 16:37:29 q? 16:37:38 Tony: Is there any data on authenticated fraud v. non-authenticated fraud, and any data on wallet fraud? 16:38:00 Gerhard: There's obviously lots of data on authorized push-payment fraud. We are starting to gather data on phishing fraud 16:38:17 ...where I'm e.g., getting you to provide an OTP to me 16:38:33 Wallet fraud would be a sub-set of Account take over fraud? 16:38:37 ...e.g., 'attackers are coming from your account, hope we can catch it in time...send me OTP" 16:39:41 ....the specific fraud between authenticated/unauthenticated, there are studies out there. Another issue in the other direction is false positives, and so there are places where they authenticate all the time (and there is more abandonment, which makes merchants unhappy) 16:40:08 Gerhard: I think with *Pay there is often fraud at enrollment time. 16:40:18 [Slide on the Fraud Classifier from the US Federal Reserve] 16:40:40 nick_s has joined #wpwg 16:41:17 present+ Alex_Lakatos 16:41:46 Example would be some one taking over a SDW (staged digital wallet) and using instant payments (Visa OCT, MA Send) to move money from the wallet to a newly added instrument (authentication during Add Card would assist in reducing such frauds) 16:44:49 [Gerhard talks about discussion of phishing proof authentication and WebAuthn] 16:45:39 Gerhard: For Vishing, FIDO can help on the primary channel 16:46:01 Gerhard: Today we are in the realm of authorized push payment fraud. 16:46:31 ...question is how to detect that someone is being manipulated, or that a link is suspicious, or that a site is risky 16:48:22 laka has joined #wpwg 16:48:26 [Gerhard lists a set of fraud scenarios where the browser could help] 16:48:53 steele has joined #wpwg 16:49:05 present+ 16:49:26 q+ 16:49:56 q- 16:50:03 Gerhard: Apple made some changes to prevent some types of attacks from happening. 16:50:37 [Summary: Areas to possibly explore] 16:50:50 q+ to talk about confirmation of payee 16:52:22 Gerhard: Integrity checks would be interesting (as is available in native libraries) 16:52:39 ...information about when user created account would be useful 16:52:49 ...information about whether security settings have been changed 16:52:49 q+ to ask about possible privacy explaining UX for these signals. 16:53:08 Gerhard: Geolocation helpful as well 16:53:14 ...regional information valuable. 16:53:20 q+ to ask about usefulness of an aggregate risk score from the browser 16:53:22 ack rouslan 16:53:22 rouslan, you wanted to ask about possible privacy explaining UX for these signals. 16:53:24 ack rouslan 16:53:28 leecam has joined #wpwg 16:53:35 nick_S has joined #wpwg 16:53:43 rouslan: Interesting signals. Users will likely want to have aa good understanding and control information that's shared. 16:53:46 q+ 16:53:54 ...any ideas about UX for consent or informing the user? 16:54:06 jthomas has joined #wpwg 16:54:35 Gerhard: We are learning about UX from native apps. 16:54:52 ...if we use mobile apps as a precedent, you don't need to check whether OS integrity is there. 16:55:04 ...if the bad guy can say no to the signal, then you are still stuck. 16:55:17 q- later 16:55:46 ...I would try to get to a state where PII is not leaked. Signals valuable nonetheless "I can tell you this OS has been around for more than 3 months" 16:55:47 ..that sort of thing 16:56:10 q+ 16:56:14 zakim, close the queue 16:56:14 ok, Ian, the speaker queue is closed 16:56:21 ack rbyers 16:56:22 rbyers, you wanted to ask about usefulness of an aggregate risk score from the browser 16:56:26 q- 16:56:42 rbyers: We can divide this into some buckets. E.g., case where someone stole a device. We tried Web Environment integrity but there was backlash. 16:57:50 ...is there enough interest in cases where we can trust the device? Then there are two choices: (1) a whole bunch of signals, e.g., SPC might send back more signals, or (2) if you trust the device, maybe the browser can come up with the risk score. 16:58:10 Gerhard: Risk scores could be interesting "Does this look like regular behavior?" 16:58:36 ...there have been studies showing user will choose convenience as long as they are not getting themselves into trouble. 16:58:41 q? 16:59:20 rbyers: If most of our progress was where attacker doesn't control device, would that be progress? 16:59:45 Gerhard: I don't have exact stats. We are starting some work to collect relevant info. We are definitely seeing a trend to more manipulation (where someone is duped). 17:00:01 ..but the largest set is still pretty old school like reusing stolen card details and stealing OTPs 17:00:13 ack nick_S 17:00:35 nick_S: I would not want to see users who require accommodations to be subject to additional gatekeeping. 17:00:56 ...e.g., many users modify DOMs/JS for accessibility reasons. I would not want to put them through higher levels of fraud checks. 17:01:27 ...as OS vendors, we make different choices about what to reveal to apps. We don't want users to be targeted because they have made certain choices (e.g., simple passcodes) 17:01:32 q? 17:01:58 nick_S: I think you're right that OTP is a major fraud vector. That's a deficiency of the payment method. 17:02:15 ...I don't want to lose site of the fact that there are other payment methods that don't require OTP that are inherently more secure. 17:02:24 ...the payment methods need to seek improvements. 17:03:08 Gerhard: We don't want to know what setting was used e.g., related to accessibility, but simply that a setting may have changed. 17:03:40 ...user liability is an issue. 17:04:08 ack benoit__ 17:04:32 benoit: Can you comment on how to verify that information is coming from a trusted source? 17:05:08 Gerhard: I have seen two things of interest (1) backend service call (2) browser signed challenge (e.g., DBSC) sent back to server 17:05:20 RRSAGENT, make minutes 17:05:21 I have made the request to generate https://www.w3.org/2024/09/23-wpwg-minutes.html Ian 17:06:15 Topic: Regulatory trends 17:06:19 zakim, open the queue 17:06:19 ok, nicktr, the speaker queue is open 17:06:31 -> https://www.w3.org/2024/Talks/TPAC/fime-worldline-regs.pdf Jean-Luc slides 17:07:19 Jean-Luc: Working with Grégoire Leleux (Worldline) to survey regulations related to payments and to have a global overview 17:07:34 ...this presentation is an extract of a more detailed study we are doing. 17:10:12 ...topic 1: Dynamic linking 17:12:52 I think he's on the wrong slide 17:13:33 I think he's talking about Verifiable Reliability 17:13:36 vkuntz has joined #wpwg 17:13:46 present+ 17:14:02 ...topic 2: Verifier reliability 17:15:11 q+ to ask whether regulators say that 2-factor authentication can use the factor of possessing a private key when that key is being synced 17:15:35 ack rouslan 17:15:35 rouslan, you wanted to ask whether regulators say that 2-factor authentication can use the factor of possessing a private key when that key is being synced 17:16:13 rouslan: From a regulatory perspective, when we talk about 2FA and one factor is possession, does possession of private key count when the key has been synced? 17:17:08 ...topic 3: Authentication factor information 17:18:14 Jean-Luc: Having private key no longer remaining on the device is no longer a possession factor according to NIST 17:18:36 ...so synched passkeys don't satisfy the regulatory requirement. 17:18:47 ..there are strong desires to use a different possession factor 17:19:14 ...there are emerging trends to replace the private key with something else. 17:19:32 ...it's also valuable to know whether it was the same user 17:20:05 q? 17:20:15 Referred in slides: https://pages.nist.gov/800-63-3/sp800-63b.html 17:20:18 ...topic 4: Device binding 17:20:47 Jean-Luc: In many regulations device binding is either required or strongly recommended. It provides a possession factor. 17:21:12 ...the second reason why strongly recommended is for fraud mitigation. 17:21:25 ...this can improve frictionless in 3DS flows, for example. 17:22:23 steele has joined #wpwg 17:22:28 ...in US, Japan, UK, really valuable for risk mitigation 17:22:38 ...and relates to liability in case of fraud 17:22:46 q? 17:22:58 q+ 17:23:10 q? 17:24:37 steele: Cf. DBSC 17:24:55 q? 17:24:59 ack steele 17:25:11 Tony: is it really binding to the identity or to the authentication that happened? 17:25:42 Jean-Luc: What we observe so far is that there's a difference between dynamic linking (transaction info) and the device binding (device - user binding) 17:26:41 ...depending on regulation ,the way to deal with the privacy may be different 17:26:46 q? 17:27:02 ...topic 5: Data privacy 17:27:20 vkuntz has joined #wpwg 17:27:30 present+ 17:28:09 Jean-Luc: There is a notion of "consent" across the global regulations 17:29:48 q? 17:30:49 q? 17:30:52 q+ to ask about Secure display with binding? 17:30:59 Jean-Luc: We cannot user personal data without user consent. Those data also need to be secured all along the connection 17:31:08 q+ to ask about confirmation of payee 17:31:17 zakim, close the queue 17:31:18 ok, Ian, the speaker queue is closed 17:31:25 vkuntz has joined #wpwg 17:32:01 present+ 17:32:47 Gerhard: one thing we've talked about is "secure display" 17:32:59 ...is there anything about "secure display" in regulations? 17:33:08 Jean-Luc: I think it's part of dynamic linking 17:33:45 ...some regulations are more specific than others about this topic...e.g., requiring user is able to understand what data is shared and with what party 17:33:58 nicktr: We heard from Gerhard about APP fraud 17:34:20 ...we now have "confirmation of payee" in UK and it's being discussed in PSD3 context 17:34:38 ...is there more we can do as web community to bake confirmation of payee into dynamic linking? 17:34:38 Jean-Luc: Definitely. 17:34:50 ...we observe many emerging regulation (whether PSD3 or other) 17:35:06 ...in our study we provide also some mitigation strategies for these risks 17:35:19 ....we can look more about web protocols to help 17:35:26 ...I look forward to sharing more about this on Thursday 17:35:42 RRSAGENT, make minutes 17:35:43 I have made the request to generate https://www.w3.org/2024/09/23-wpwg-minutes.html Ian 17:58:10 Tomasz has joined #wpwg 18:01:18 nsiskov has joined #wpwg 18:01:22 present+ 18:01:30 present+ 18:06:09 nick_s has joined #wpwg 18:08:01 topic: Visa SPC experience 18:09:16 aprotyas has joined #wpwg 18:09:30 vkuntz has joined #wpwg 18:09:44 present+ 18:09:45 jthomas has joined #wpwg 18:10:16 Not sure I read all of that 18:10:43 Doug: We see SPC as providing enhanced FIDO user experience compared to standard WebAuthn. 18:11:23 ...benefits for merchants, consumers, and issuers 18:11:44 present+ Chetan_Krishna 18:11:50 q? 18:11:53 present+ Bjorn_Hjelm 18:12:01 present Heng_Liu 18:12:06 queue= 18:12:07 present+ Helen_Qin 18:12:11 zakim, open the queue 18:12:11 ok, nicktr, the speaker queue is open 18:12:14 queue= 18:12:21 pablosfor has joined #wpwg 18:12:23 present+ Abrar 18:12:37 Doug: We implemented 2 pilots into production since last TPAC> 18:12:48 ...good news: it works! 18:12:52 ..and it works with 3DS. 18:12:58 present+ Westin 18:13:09 present+ Mohamed_Amir_Josef 18:13:28 Doug: This is not the only use case for SPC, but our focus is payment use case with 3DS. 18:13:37 ...we are looking for any barriers to the scalability of SPC 18:14:36 westin has joined #wpwg 18:14:38 ...we did two pilots based on 3DS 2.3.1.1 18:15:00 s/...we did two pilots based on 3DS 2.3.1.1/we did one pilot based on 3DS 2.3.1.1/ 18:15:11 ...and a second pilot using an extension with 3DS 2.2 18:15:38 ...we wanted to check whether we could use SPC sooner in 3DS 2.2. 18:16:15 (Nako gives a quick introduction of how this works) 18:16:28 s/Nako/Nakjo/ 18:16:39 fahad has joined #wpwg 18:19:52 maximeg has joined #wpwg 18:20:23 (We see a video showing SPC enrollment after ID&V) 18:20:45 laka has joined #wpwg 18:20:51 q+ to ask about the passkey creation UI 18:21:25 ack rouslan 18:21:25 rouslan, you wanted to ask about the passkey creation UI 18:21:28 ack rouslan 18:21:57 can we get access to the minutes if we're not wpwg members? currently getting a 403 18:22:21 Tony: Do you care about synched passkeys or do you create a new one each time? 18:23:04 q+ 18:23:33 vkuntz has joined #wpwg 18:23:39 present+ 18:23:48 ack Gerhard 18:23:55 Ian: We want to use passkeys; need more info 18:24:08 Gerhard: We also don't know whether passkeys have been synched. The challenge is "trying and failing" 18:24:26 ...if we had more info about whether there's a key, that would help 18:24:49 Jayadevi has joined #wpwg 18:25:06 q+ to note that whether its synced or not re SPC depends on the platform 18:25:25 Tony: You can tell whether a passkey is synched or not. 18:25:37 Tim: You are told that its syncable upon creation. 18:26:12 ...whether it is synched or not in the future is not important from a security perspective. 18:27:00 ack smc 18:27:00 smcgruer_[EST], you wanted to note that whether its synced or not re SPC depends on the platform 18:27:17 smcgruer_[EST]: Even for SPC it's very platform dependent where the credential ends up, whether it's synched or not, etc. 18:27:30 ...I would not advocate for people to depend on current Chrome behavior on Mac. 18:28:28 present+ Maxime_Guerreiro 18:28:56 aprotyas has joined #wpwg 18:29:38 Nakjo: We look at new device use case...user knows there is a passkey related to the number. We don't store cookie, so we get the fallback UX 18:30:58 Nakjo: We also cover the case where user cancels during SPC authentication, and since we don't know that passkey is available we prompt user to re-register. 18:32:26 Doug: Here's some feedback from the pilot: 18:32:50 a) 2.2 with extension is feasible, and the implementation effort is relatively straightforward. 18:33:14 ....starting with 2.2 and migrating to 2.3.1.1 is also smooth. 18:33:23 present+ David_Turner 18:33:43 Doug: We are planning to provide the extension to EMVCo; and if 3DS WG agrees, it would be generally available 18:34:24 b) Feedback from issuers and pilot participants is that we need more OS and browser support for SPC in order to get the consistency of experience users expect. That's critical for us for getting scale. 18:34:24 q+ minor side-note, the Android bug has now been fixed in Play Services and should be live in early/mid October 18:34:31 q+ to make minor side-note, the Android bug has now been fixed in Play Services and should be live in early/mid October 18:34:55 Doug: When a cardholder has a problem, we have no information what happened and how to debug it. 18:35:18 ...our logs from the pilots don't tell us why. So that's challenging. 18:35:25 ack smcgruer_[EST] 18:35:26 smcgruer_[EST], you wanted to make minor side-note, the Android bug has now been fixed in Play Services and should be live in early/mid October 18:35:42 smcgruer_[EST]: Android fix has landed and will be available to everyone mid-October. 18:35:50 ...I'll also ack the concern about how to debug this. 18:36:05 ...did general WebAuthen debugging land? 18:36:27 Adam: The things in question wouldn't be useful here. 18:36:45 Jayadevi has left #wpwg 18:37:16 Jayadevi has joined #WPWG 18:37:58 Sid has joined #WPWG 18:39:03 benoit_ has joined #wpwg 18:40:00 Doug: 3p payment bit is still fixed in the browser. Suggest developing consensus on how it should be stored. 18:40:00 q? 18:40:15 Tim: You want to store it with the passkey right? 18:40:18 Adam: Even if synchedD? 18:40:45 Doug: yes with the authenticator. If the passkey is synched, it would be interesting to sync the 3p payment bit as well. 18:40:54 q? 18:41:05 Tony: Do you care about conformance or certification of passkeys? 18:41:23 Doug: We hope we will discuss attestion this week. 18:41:40 Tony: What are your requirements regarding libraries? 18:41:47 ...do they need to be conformance tested or certified? 18:42:14 Nakjo: For this pilot we are relying on platform authenticators and they are "good enough" at this point. 18:42:36 Tim: Do you want 3p bit to be synched via WebAuthn? 18:42:42 pavelar has joined #wpwg 18:43:14 Tim: SPC 3p bit part of PKCS for tomorrow discussion. 18:44:08 Doug: We got favorable feedback from users on the UX 18:44:14 ... we have some feedback on dialog options 18:44:16 KennethDiaz has joined #wpwg 18:44:30 ...the Chrome team has provided a prototype ability to let us do A/B testing 18:44:51 Doug: We ran three UX's (A, B, C). 18:44:58 ...B was preferred by people with experience. 18:45:08 ...and those familiar with 3DS UX 18:46:16 q? 18:46:35 q? 18:46:38 Doug: Some feedback was on how SPC and 3DS work together, not just on SPC itself. 18:46:58 Tony: What's your timeline? 18:47:31 Doug: We're not done with testing. One thing we are very interested in about invoking SPC without a WebAuthn credential. 18:47:46 ...and SPC could be used as a transaction confirmation dialog 18:47:57 q+ 18:48:04 ...and we could see that helping a transition from people without credentials to people with credentials. 18:48:08 ack KennethDiaz 18:48:50 KennethDiaz: Our experience is that we had to do a bit of communicating on the server side to get support SPC. We had to make some validation changes to support SPC. 18:49:06 ...for issuer adoption, it would be nice if any issuers would not have to do those things. 18:50:28 Topic: Mastercard experience with SPC 18:50:35 soba has joined #wpwg 18:51:08 Jonathan: There are two elements we are thinking about to increase security of online compared to in-person: tokenization and authentication 18:51:43 ...biometric has been a focus to give security plus a seamless experience. 18:52:55 Here is the link to the latest olicy -> https://www.w3.org/policies/antitrust-2024/ 18:53:00 *policy 18:55:01 Jonathan: Passkeys are created after some ID&V 18:56:18 ...how can passkeys be used for payments? For SPC there are two main use cases that we've mostly discussed: integration into 3DS and other protocols 18:56:40 Tony: Is device binding concern at creation time or use? 18:57:00 Jonathan: At creation time. You could create the binding at creation time or later. 18:57:29 ...it might happen at the same time as creation or it might happen later. 18:58:05 Tim: I am concerned about giving this thing a new name for passkeys. (This is a branding concern.) 18:58:32 Jonathan: Unfortunately until we solve passkeys for payments we need a differentiator 19:00:01 present+ Alan_Wang(Mastercard) 19:01:50 q+ 19:01:51 [Jonathan shows demo where passkey is used during checkout] 19:01:59 Adam: What domain is the cookie? 19:02:09 Jonathan: Mastercard. We need to be in a 1p context. 19:02:27 ack Gerhard 19:02:36 Gerhard: This is using SRC? 19:02:37 q+ to ask whether cookie clearing after 7 days by some user agents will be problematic 19:03:01 Jonathan: This is not using 3DS. 19:03:56 q+ 19:04:10 me thx @ian 19:04:55 q+ manjush 19:04:56 rouslan: Is cookie clearing after 7 days problematic? 19:05:02 ack rouslan 19:05:02 rouslan, you wanted to ask whether cookie clearing after 7 days by some user agents will be problematic 19:05:18 Jonathan: This is clearly not the preferred way for device binding. But in this case it's 1p cookie. Clearly we'd like other solutions for device binding 19:05:27 ack nick_s 19:05:37 nick_S: is your intention that this be used with card on file, or is it just an example? 19:05:41 Jonathan: Just an example. 19:05:59 ...the passkey RP is with the bank, or the network. 19:06:16 nick_s: Isn't the attraction of card-on-file that you don't have to go through this process? 19:06:38 Jonathan: Merchants don't generate their tokens, the get tokens. 19:06:58 ...it's easier to get credential when stored on file compared to typing in card details. 19:07:24 aprotyas has joined #wpwg 19:07:31 Manjush: IN the verification payload I saw a new domain open 19:07:44 Jonathan: We need a 1p context to read a cookie. 19:07:46 q+ from the back, to ask how this compares to the Payment Request API, security wise. aka: Why give a passkey and not record/tokenize the payment method? 19:07:56 q? 19:08:02 ack manjush 19:08:39 Jonathan: Observations from this experience (1) complexity with pop-up blockers (2) focus continuity 19:09:00 ...regarding UX, there are different experiences in settings that might happen 19:09:15 ...so UX regarding passkey lifecycle management issues (when user deletes passkey) 19:09:27 q? 19:09:30 q+ Maime 19:09:33 q+ Maxime 19:09:36 q- Maime 19:09:44 ack Maxime 19:09:48 q+ 19:09:53 Maxime: How does this compare to PR API. 19:09:55 q- 19:10:59 Jonathan: How SPC can help... 19:11:14 ....some benefits: 19:11:20 * Cross-origin authentication is very helpful, and not just in 3DS context 19:11:39 * Dynamic linking 19:11:50 ..SPC makes that easier. 19:12:03 * Consistency of the UX 19:12:40 Jonathan: We did some usability testing with prototype from Chrome team 19:13:12 ...trust is very important to people who are authenticating. The logos (that 3DS requires) has been perceived as very important for trust and security. 19:13:28 ...other elements like store name, card name, number, total amount also very important. 19:13:38 ...there were some questions about the "Verify" label on the button 19:14:07 ...some participants were expecting the prompt for WebAuthn without having to click again. 19:14:24 ...we did some prototyping 19:15:02 [Jonathan shows some live demos of registration] 19:15:40 present+ Ryan_Watkins 19:15:58 present+ Theodore_Olsauskas-Warren 19:16:01 present+ Chetan_Krishna 19:16:06 present+ Frederic 19:16:24 present+ Kavya_Ramesh 19:19:14 Jonathan: We got feedback from our SPC prototype 19:19:42 ...what's next? 19:19:58 ...device binding, key attestation, info about authentication factors are all important for compliance with regulations 19:20:18 ...that will be important to our SPC pilot 19:20:29 Adam: What does key attestation mean? 19:20:42 Adam: Which passkey provider. If you have device binding, why do you care? 19:21:12 q+ 19:23:21 q+ Tim 19:23:45 q+ Theodore 19:24:41 Jonathan: Some uX topics - interop across browsers, no similar experience in native apps, some confusing UX on OS screens due to general focus on login, no understanding of device binding. 19:24:45 ack rbyers 19:24:45 ack rbyers 19:24:54 q+ 19:24:58 https://github.com/w3c/secure-payment-confirmation/issues/271 19:25:16 (That's after lunch!) 19:25:32 ack tim 19:25:33 ack Tim 19:25:49 Tim: WebAuth says explicitly there's no guarantee it's the same individual. 19:26:07 ...knowing "same user" is out of scope for WebAuthn 19:27:49 Tomasz has joined #wpwg 19:28:03 q+ to note that SPC is willing to extend WebAuthn beyond its narrow scope, if that's useful for payment, and maintains good security and privacy properties. 19:29:11 ack theodore 19:29:35 Theodore: In a slide you mentioned IP address for additional signals for fraud mitigation. 19:29:54 ...can you speak to the relative importance of webauthn as a signal v. other signals 19:30:24 Jonathan: There was no real relationship between the passkey and additional data. Feedback from banks is that they want to use additional signals. 19:30:41 ...if you use already 2FA, but there is typically multi-layer security. 19:31:13 ...banks would love to be able to trust data they are getting. 19:31:20 q? 19:31:25 ack nick_s 19:31:34 ack nick_s 19:32:14 nick_S: Regarding data about things like configuration changes...it would be helpful to me if we could have more information about what data is going to be used for and why it's needed. 19:32:22 q+ 19:32:34 ....I need to know why that's needed and also discussion of where users are disadvantaged. 19:32:40 q- 19:32:56 Happy to provide more context on the value of some of those signals. 19:33:14 ...I am sympathetic for the need for device binding. But there's an assumption that users operate on discrete devices. But users moving forward will be interacting with multiple devices (e.g., interacting with your iPhone on your mac is a new feature) 19:33:38 ...there may be other options than device binding for addressing needs. 19:34:06 Jonathan: I agree with your first point that we need more info about what banks are doing. One use case (in Italy) the regulator requires the banks to indicate what auth factor was used. 19:34:37 q- 19:34:46 ...for the second topic, the requirement has been going on for years and is well-understood by banks. It doesn't mean that you can't use multiple devices, only that you know whether you've seen a given device. 19:35:18 q? 19:35:26 Jonathan: Dropping the passkey to someone else is out of scope from a payment perspective. You don't give your card to someone else for forever. 19:35:58 Jonathan: The UX for "login" is different than for payment, and that's a source of confusion. 19:36:32 q+ 19:36:43 ack steele 19:36:44 Jonathan: There are also issues with 2 authentications back to back because you don't know whether there's a credential on the device. 19:37:01 Nick_Steele: We're looking into providing additional trust signals in FIDO alongside a passkey response. 19:37:16 ...some information outside of device binding but rather around the "synchedness" of credentials. 19:37:20 kavramesh has joined #wpwg 19:37:23 aprotyas has joined #wpwg 19:38:28 Nick_Steele: We want to provide the data you need so that you don't need more factors, and the security posture of parties using info 19:38:33 q? 19:38:40 Zakim, close the queue 19:38:40 ok, nicktr, the speaker queue is closed 19:39:05 ...if you have a new device, one could have multiple devices you'd be able to get a signal about whether, if a user were to use a key on a new device you'd know it was synched. 19:39:56 Tim: These are discussions, no commitments yet. 20:13:35 benoit__ has joined #wpwg 20:13:45 benoit_ has joined #wpwg 20:30:39 aprotyas has joined #wpwg 20:44:10 pavelar has joined #wpwg 20:44:18 maticompiano has joined #wpwg 20:45:27 Gus has joined #wpwg 20:46:28 pablosfor_meli has joined #wpwg 20:48:50 Gus has joined #wpwg 20:51:26 pablosfor_meli has joined #wpwg 21:01:34 Gerhard has joined #wpwg 21:04:09 Gus has joined #wpwg 21:05:29 Christian has joined #wpwg 21:06:10 bkardell_ has joined #wpwg 21:07:00 westin has joined #wpwg 21:07:02 battre has joined #wpwg 21:07:03 Jayadevi has joined #WPWG 21:07:03 vkuntz has joined #wpwg 21:07:06 jthomas has joined #wpwg 21:07:08 nsiskov has joined #wpwg 21:07:10 present+ 21:07:12 maximeg has joined #wpwg 21:07:14 present+ 21:07:17 present+ 21:07:19 Jonathan has joined #wpwg 21:07:21 present+ 21:08:00 fahad has joined #wpwg 21:08:11 nick_s has joined #wpwg 21:08:17 DavidTurner has joined #wpwg 21:08:28 Koobikland 21:08:40 doug has joined #wpwg 21:08:41 Soumya has joined #wpwg 21:08:42 Sidd has joined #WPWG 21:08:43 liucougar5 has joined #WPWG 21:08:51 https://koobikland.com/gallery/ 21:09:11 Sue has joined #wpwg 21:09:20 zakim, set logs public 21:09:20 I don't understand 'set logs public', Ian 21:09:21 zakim, set logs publicc 21:09:22 Jeff has joined #wpwg 21:09:22 I don't understand 'set logs publicc', Ian 21:09:22 zakim, set logs publicc 21:09:22 I don't understand 'set logs publicc', Ian 21:09:25 zakim, set logs public 21:09:26 I don't understand 'set logs public', Ian 21:09:30 rrsagent, set logs public 21:10:10 HennaKapur has joined #WPWG 21:10:28 Topic: Chrome updates around SPC 21:10:36 [Rouslan presents] 21:11:28 -> https://www.w3.org/2024/Talks/TPAC/chrome-spc-20240923.pdf Rouslan presentation 21:12:20 Rouslan: We are planning to update some of the UX based on industry feedback 21:12:37 1) Issuing bank icon 21:12:43 2) Payment network icon 21:12:51 3) Improved formatting for merchant name and origin 21:13:05 4) Choose between different names for payment instrument types 21:13:15 5) More fields and better formatting for the payment instrument field 21:13:30 6) Make user choice explicit 21:13:32 q+ 21:13:38 zakim, open the queue 21:13:39 ok, Ian, the speaker queue is open 21:13:41 q+ Fahad 21:14:53 ack Fahad 21:15:19 q+ to clarify 21:15:56 q- 21:16:31 Fahad: origin may not be useful. 21:17:06 Rouslan: the extra information can be useful for backup 21:17:34 Rouslan: We are also updating the fallback UX 21:17:50 ...we have to show some UX to hide from the site that the user does not have a credential. 21:18:28 ...the UX prevents a timing attack 21:19:01 ...the new dialog is a confirmation dialog. 21:19:25 q+ 21:21:02 q+ 21:21:17 Ian: Could signing data with browser-specific key be useful? 21:21:23 Rouslan: I think the guarantees would be weak 21:21:27 hack Ian 21:21:27 q+ 21:21:27 ack Gerhard 21:21:32 ack me 21:21:44 ack ian 21:22:08 Gerhard: I think the approach would be that we would still use the key, and still challenge the user through some form of challenge. 21:22:29 (There's a MITM issue that would need to be addressed.) 21:23:01 +q Gus 21:23:20 ack Jonathan 21:23:55 Jonathan: It could be interesting to have "Confirm" with web authn signature without user verification 21:24:06 ...that could be an alternative market. 21:24:13 ack Gus 21:24:26 Gus: Is there are a high risk path for credential not found? 21:24:47 ...suppose I'm a merchant that only accepts verified payments, can I send someone back to payment selection instead of cancel? 21:25:17 Rouslan: In this UX we have "verify another way" 21:26:00 ....any outcome from this UX means "there is no web authn result" and the merchant could then offer a different card. But I don't know what impact that would have on conversion. 21:27:21 q+ for some quick clarifications 21:27:41 ack smcgruer_[EST] 21:27:41 smcgruer_[EST], you wanted to discuss some quick clarifications 21:28:35 smcgruer_[EST]: We won't give a signal "there is no credential". 21:29:34 smcgruer_[EST]: we will give signal of "either there was no credential OR the user didn't want to use them" 21:29:40 smcgruer_[EST]: I think you can use that signal for what you want? 21:30:00 q+ 21:31:30 ack nick_s 21:31:49 q? 21:32:02 Ian: whether the merchant can learn about authentication credentials associated with instruments depends on the payment method (or SPC / FIDO integration) for that method. 21:34:59 q? 21:36:17 q+ 21:36:28 HennaK has joined #WPWG 21:38:05 q+ 21:38:10 +q Gus 21:38:12 ack Jonathan 21:38:18 q+ 21:40:11 Question: in fallback UX, should "Confirm" return an error saying "user cannot user credential" or some sort of signature over the data? 21:40:36 https://github.com/w3c/secure-payment-confirmation/issues/275#:~:text=Should%20we%20raise%20an%20NotAllowedError%20or%20return%20a%20technically%2Dsuccessful%20outcome%20but%20which%20contains%20an%20indication%20that%20the%20user%20didn%27t%20actually%20perform%20any%20identification%3F 21:41:04 q? 21:41:24 q+ 21:41:32 ack benoit_ 21:44:42 ack Gus 21:45:03 Gus: If "confirm" gives merchant a signal "user wants to continue" that could be helpful. 21:45:39 ...maybe "Confirm" is confusing 21:45:40 ack nsiskov 21:45:44 Rouslan: Perhaps "Continue"? 21:45:47 Gus: Maybe 21:46:51 Nsiskov: Any way to have no fallback UI? 21:49:31 q+ 21:49:34 q- 21:49:54 q+ 21:50:37 Nsiskov: Instead of fallback, could browser wait for a random period of time and not show UX? 21:50:52 Rouslan: We'd have to block interactions with the web site during that time. 21:51:13 ...from a user perspective it would look like the site is not being responsive. 21:51:24 q- 21:51:51 nick_s: What's the interplay between SPC and SPA? 21:51:54 Ian: Coming soon. 21:53:25 q? 21:53:30 ack nicktr 21:53:39 ack nick_s 21:53:44 Nick_S: Consistency of experience was also cited as a value. But they may not get a consistent experience. 21:54:13 Doug: I just wanted to thank you for the updated UI! 21:54:25 ...I think this will be adopted more readily. 21:54:35 ....I will be interested to see what SPC API changes are, and impact on 3DS 21:54:47 q+ gus 21:56:08 q+ 21:56:15 Doug: I think there's value to the fallback UX. "Try another way" needs to be potentially on both happy path and fallback UX 21:56:32 ack smcgruer_[EST] 21:56:36 ack gus 21:56:58 nick_s has joined #wpwg 21:56:59 smcgruer_[EST]: Checking what Doug said: "Confirm" gives site a signal to continue to 3ds flow. 21:57:06 ...are you saying you want two paths? 21:57:15 Doug: Good point. Maybe we'll mull that over. 21:58:33 Rouslan: The API will return 3 results codes instead of 2 in the new UX 21:59:06 q? 22:00:32 Jonathan has joined #wpwg 22:00:37 [Device binding proposal] 22:00:44 q+ 22:01:22 Rouslan: We have some questions - are we re-inventing the wheel for DPK and SPK? Could that work be reused? Are we missing some edge cases already covered by WebAuthn? 22:01:23 q+ 22:01:28 q? 22:03:11 Jonathan: WebAuthn no longer has DPK/SPK extensions. Where will key be stored? 22:03:18 Rouslan: In user profile. 22:03:24 Adam: It would probably still be hardware bound. 22:03:54 ...the key is 'hardware' bound but stored in the profile. 22:04:24 Adam: If you are talking TPM, there's no external signal. 22:04:39 ...that's distinct from secure element, which could have policies attached to credentials. 22:04:58 ...you can credential that allows silent signing. 22:05:08 q+ 22:05:32 ack Jonathan 22:05:40 ack me 22:06:04 ack ger 22:06:55 Gerhard: For me, being able to sign on this specific device and being able to know that this is a device I've seen Ian use before is valuable. 22:07:16 ...not being able to sync it, or preventing social engineering sounds like it will improve security. 22:07:30 q+ 22:07:31 q+ 22:08:11 q+ gus 22:08:34 q+ adam 22:08:36 ack nick_s 22:08:57 nick_s: We would have concerns about allowing sites to do device bound signatures without interaction. 22:09:48 I would be very supportive of an 'always confirm' with a button. 22:10:04 Showing transaction information while doing this. 22:10:07 Ian: Would doing SPC constitute a user interaction? 22:10:25 Nick_S: Maybe, if the user is educated about what's happening, and sufficiently good language, etc. 22:10:36 q? 22:10:38 ack smcgruer_[EST] 22:10:57 smcgruer_[EST]: Yes, I was just going to say I agree with Nick_S in general. I think we can make SPC meet that UX. 22:11:02 +q 22:11:05 q- 22:11:07 s/UX/UX requirement 22:11:13 q- gus 22:11:37 steele has joined #wpwg 22:12:01 smcgruer_[EST]: As a 1p I can drop a cookie that's a device identifier. And DBSC is coming. I think there is a big space and where we will draw the line about a persistent identifier. 22:12:18 ack adam 22:13:06 Adam: 50% of windows machines don't have a TPM. Would you be ok with not hardware-bound (and we'll tell you which one you got). Would you prefer "nothing" in this case? 22:13:46 Christian has joined #wpwg 22:13:51 Eric(Visa): You need a certificate. If you are signing something, the attacker can do as well. But the attacker may not have the ability to sign with a certificate. 22:13:54 present+ 22:14:03 present+ Eric(Visa) 22:14:19 present+ 22:15:08 q+ 22:15:09 +q to ask n00b question 22:15:23 q+ 22:15:44 +q gus 22:15:56 -q 22:16:00 Nick_s: If you clear your device, you're not going to get the (same) attestation. 22:16:26 Gus: The history of trusted use of the key is what's valuable. 22:16:43 q+ 22:17:05 ack Gerhard 22:19:05 (Discussion about using SPC as confirmation UX with less-than-WebAuthn security) 22:19:17 Gerhard: We are just trying to get incremental improvements. 22:19:30 Eric: Attacker doesn't have to be present all the time.... 22:19:38 Gerhard: Trust is built up over time. 22:20:31 q- 22:20:55 ack gus 22:20:59 ack nick_s 22:21:10 nick_s: It might be helpful to look at native apps. 22:21:26 ...we have this problem today, where apps want certain guarantees to prevent fraud and abuse. 22:21:26 Jonathan has joined #wpwg 22:21:48 ..what we allow in iOS is to attest and sign data. The attestation is only that the device has not been jailbroken. 22:21:59 ...we allow apps to ONLY store 2 bits 22:22:16 ...the use case we wanted to solve for was fraud. that's the min we could do without privacy risk. 22:22:32 q? 22:22:44 IJ: What should SPC do? 22:23:18 Nick_S: The Web is a less restrained world. In addition to the attestation, we can indicate how many times the attestation has been reset. 22:23:48 Jonathan: The big difference is with apps you can get device bound keys. 22:24:10 q+ 22:24:43 Nick_S: There's a difference between "bound to a device" and "not-synched". So a key might change devices, but is not synched at any given time. 22:25:04 nick_s has joined #wpwg 22:26:34 steele has joined #wpwg 22:26:40 Ian: Design idea here is "more power due to dedicated UX" 22:26:55 Rouslan: Last topic here is shopOptOut, which we propose to remove from the API. 22:27:11 https://github.com/w3c/secure-payment-confirmation/issues/274 22:27:33 Rouslan: We've not seen much usage. We'd like to remove it. If you still think it's important, let us know. 22:28:15 q? 22:28:26 Rouslan: We'd like to continue to hear from you about these feature proposals. 22:28:26 ack me 22:28:45 topic: Trust signal statements (by Nick Steele) 22:31:45 (Apologies to people who may have joined to be in the auto-fill session exactly at 3:30pm…we will start that session in just a few minutes.) 22:32:22 Nick: Scenario - platform provider statements 22:32:45 ...we could generate a trust signal with a base statement, provider metadata, and platform metadata. 22:33:49 ...new trust statement would be generated when passkey shared 22:34:01 ....the statement would change when passkey changes hands. 22:34:11 ...we could leverage FIDO MDS or have some authority 22:34:33 ...we could have an authority model where the platform provides the key and signs with us, but when the platform is not available, the provider provides the key. 22:35:44 ...there might be a use case that doesn't allow for non-native flow . 22:36:00 maximeg has joined #wpwg 22:36:32 q? 22:37:22 q? 22:37:37 Nick_Steele: I hope we know more about future of this by end of year. 22:37:49 ...we need to refine signals for high security RPs. 22:38:38 Jonathan has joined #wpwg 22:38:51 Topic: Improving address autofill 22:40:14 q? 22:40:18 (Chris from Shopify) 22:40:50 Chris: We updated the proposal based on earlier conversations today. :) 22:41:03 ...question is how to enhance autofill for the web 22:41:26 ...autofill is an important part of UX on the Web, but there are challenges. 22:41:40 ...for example, dynamic nature of address formats and forms makes it easy to break autofill 22:42:09 ...we see some privacy risks as well 22:42:45 s/Chris from Shopify/Chris Indra from Shopify/ 22:43:09 Chris: Depending on your country, the other form fields that are necessary may change. 22:43:52 Chris: Another situation we have is separate iframes with all fields. We use post messages to sync values across all frames. 22:47:39 q+ 22:47:57 Chris: Trigger is still a user interaction. 22:48:15 ...this allows autofilling as conditional forms. 22:48:29 q+ 22:48:38 q+ 22:49:27 ack vkuntz 22:49:45 q+ to ask about best ways to experiment with potential user experience (UX) for this. 22:50:23 Vkuntz: Regulators seeking more and more structured addresses. In the future, unstructured may not be acceptable (for credit transfers) 22:50:32 igrigorik has joined #wpwg 22:50:35 Chris: I agree it should be structured. 22:50:54 Yoav: The full address is important for the user consent part. Under the hood, the data will still be structured. 22:51:17 ...the user is consenting to have their whole address filled regardless of the state of the current form. 22:51:31 ack smcgruer_[EST] 22:51:35 maximeg has joined #wpwg 22:51:43 smcgruer_[EST]: As you know, Chrome is interested in this proposal. 22:51:51 ...it would be more predictable for the web, a good thing. 22:51:56 q+ to ask if this is a breaking change for web developers 22:52:16 q+ 22:52:22 ..have you thought about the UX to make clear to the user that they are sharing the full address? Today we show a "preview" but hidden frames are a problem. 22:52:34 ...have you thought about the UX for all data about to be shared? 22:53:02 Chris: In this version of the proposal we would still use the web form to show the data. 22:53:33 q- later 22:53:44 q+ 22:53:45 q+ 22:53:53 Chris: Users are not surprised when all the components of an address are shared. Users expect that. 22:54:21 q? 22:54:22 ...what should not happen is to try to fill other fields unrelated to address (e.g., address) 22:54:34 ...the user should see explicitly that their email or phone are being shared. 22:55:14 smcgruer_[EST]: It's not clear to me that we should maintain the state of the web where hidden data is shared . 22:55:16 ...we should fix that. 22:55:24 ack nick_s 22:55:44 nick_s: I agree with Stephen. I don't think it's an improvement if it looks only like city is shared but a whole address is shared. 22:56:19 ...other ideas: if would be nice if we could get a 2-way dialog going. Example - iOS doesn't have a concept of "states" in some places but Shopify does. 22:56:51 ...if we are going to define a data structure, it should be done in alignment with the Contact Picker API. 22:57:08 Chris: So, for example, Shopify could tell browser "this address is not valid" and the browser could improve? 22:57:20 q? 22:57:32 Nick_S: Yes. Browsers today say "You want to save this new info?" 22:57:41 +1 in general, we often end up with duplicate profiles or ping-ponging profiles because of how different sites represent the data on form submit 22:57:46 Yoav: It feels risky to have the site impact the autofill presentation. 22:57:56 q? 22:58:16 Chris: You don't want a malicious site saying an address was invalid, and the browser changes what's stored and then it's a pain for the user. 22:58:42 zakim, close the queue 22:58:42 ok, Ian, the speaker queue is closed 22:58:46 q? 22:58:55 q- later 22:59:48 @@: We need to figure out to not harvest data through hidden input fields. 23:00:24 ...it would be great to be super surgical about what data to share, but the expectation of the user is that their (whole) address will be sent back. 23:00:31 ...address should be treated as an atomic unit. 23:00:33 q? 23:01:38 ack rouslan 23:01:38 rouslan, you wanted to ask about best ways to experiment with potential user experience (UX) for this. 23:01:46 rrsagent, make minutes 23:01:47 I have made the request to generate https://www.w3.org/2024/09/23-wpwg-minutes.html Ian 23:01:56 Rouslan: Thanks for bringing up these topics here. 23:02:29 One topic of discussion is "how much of an address to share". Some people may recall that when PR API exposed shipping address, we received pushback from PING about oversharing.. 23:02:43 ...our compromise was that we redacted the address for shipping price computation. 23:02:56 ...there are use cases where full address is not needed. 23:03:35 q? 23:03:50 ...the PING suggested a dialog between site and browser to start with country, for example, then the user could agree and then more could be shared after more dialog 23:04:04 ...the user experience is really important, however. 23:04:27 q- 23:04:28 ...recall also that developing browser UX is slower than iterations in web pages to find good patterns. 23:04:56 q- need for coffee > need for answers 23:04:59 ...can we figure out how to experiment to arrive at a good UX. 23:05:06 q- steele 23:05:19 s/@@/Ilya 23:05:48 (Some chatting about UX) 23:06:47 ack benoit_ 23:07:16 benoit_: +1 to a web standard for address filling 23:07:44 battre: I have an I18N comment. Perhaps the agreement we need to get is on address structure. 23:08:22 NickTR: my suspicion is that this is a hard problem, and that's why it's a mess 23:08:26 RRSAGENT, make minutes 23:08:27 I have made the request to generate https://www.w3.org/2024/09/23-wpwg-minutes.html Ian 23:08:56 vkuntz: With regulators stepping in, it's important. We spent a year on this in ISO. We came up with a a structure that works for 99% or people. 23:09:09 I have made the request to generate https://www.w3.org/2024/09/23-wpwg-minutes.html Ian 23:09:15 please share the spec number 23:09:15 smcgruer_[EST]: 99% of beneficiaries != people 23:09:47 +1 smcgruer 23:10:41 q- 23:10:46 ISO 20022? 23:10:51 There's WICG session on autofill improvements on Friday 23:21:34 jthomas has joined #wpwg 23:34:23 rrsagent, make minutes 23:34:24 I have made the request to generate https://www.w3.org/2024/09/23-wpwg-minutes.html Ian 23:34:38 Topic: Digital Credentials and Payments 23:34:51 nsiskov has joined #wpwg 23:35:10 present+ 23:35:57 -> https://docs.google.com/presentation/d/1hCd4xZSsZ_TsyeiVAyrhLk6T7LkCb2OE/edit#slide=id.g3021d8ee486_0_6 Tim Cappalli presentation 23:36:38 Jayadevi has joined #WPWG 23:36:47 Tim: This is a session idea from a variety of conversations around payments 23:37:03 maximeg has joined #wpwg 23:37:04 ...including with other organizations. 23:37:11 ...goal for today is to level-set 23:37:20 ...we'll talk about use cases, existing technnologies 23:37:31 ...ideas for architecture 23:38:24 (Tim is from Okta) 23:38:52 Tim: Here "credentials" mostly means VC. 23:39:13 present+ Kristina_Yasuda 23:39:26 nick_s has joined #wpwg 23:39:39 Lee Campbell: I look after identity and more for Android. 23:39:51 ...first a bit of background on Digital Credentials APIs. 23:40:06 Hari_PayPal has joined #wpwg 23:40:07 ...foundational use case is to return a credential from a wallet. 23:40:15 ...e.g., on a mobile device 23:40:34 ...there is a "return" API being experimented with, and soon a "create" API 23:40:54 ...the main credentials people are looking at right now are MDOCs 23:41:22 ...interesting use cases: presentation 23:41:36 ...out of EIDAS are question about how to use digital wallets and credentials for payments. 23:41:54 ...one proposal coming out of the EU is that we could present digital credentials at SCA moments 23:42:19 ...imagine a flow where user enters card number and there's a request for a digital credential version of the card. 23:43:06 HennaK has joined #WPWG 23:43:45 q+ to ask about tap 23:43:48 maticompiano has joined #wpwg 23:43:48 some use cases: dynamic linking, checkout flows, account-to-account payments, multi doc presentation, native and interoperable payments on the web, phishing resistant cross-device presentation, 23:43:52 zakim, open the queue 23:43:52 ok, Ian, the speaker queue is open 23:43:56 q+ 23:44:18 Lee: We do imagine having a native API for these credentials as well. 23:44:30 ...support for transaction history 23:44:42 ack nicktr 23:44:55 pavelar has joined #wpwg 23:45:00 aprotyas has joined #wpwg 23:45:07 nicktr: Regarding single tap for payments and identity in physical world. That's in scope for this work? 23:45:30 pablosfor_meli has joined #wpwg 23:45:33 Lee: To get multiple document use cases, goal is to have single authentication. 23:46:24 Lee: Once there is support in stores, we see there is a long-term opportunity for multiple doc presentation. 23:46:43 ..once a reader can accept an identity doc, no reason to not be able to also accept payment credentials. 23:46:47 q? 23:47:03 q+ DavidTurner 23:47:38 John_BradleY: From the EU commissions POV, they are more interested in PSD2 debit transactions in combination with other identity things, but in theory credit card could also be used. 23:48:18 Lee: We envision standards-based ability to use a variety of payment credentials 23:48:20 ack Dav 23:48:38 NickTR: A whole new set of terminals in stores would take time. 23:49:00 Lee: Right, if you are doing this for the web, a lot of the work can be used for other use cases. 23:49:33 NickTR: This would be aligned with "Wero" tap-to-pay account-to-account 23:50:13 Tim: What's become clear is that the terms used in ISO are over constraining 23:50:22 ...one can do a remote presentation protocol in an in-person payment. 23:50:23 q? 23:50:43 Lee: If you've gone to the effort to put a payment credential in a wallet,, there should be an opportunity to use it in person. 23:51:14 ...another benefit is the ability to see transaction history in a wallet 23:51:23 [Examples of SCA] 23:52:06 Lee: I think this would address some of the issues raised earlier today such as confusing language about "login" 23:52:33 ...the mockup shows non-payment credentials alongside payment credentials, with clear messaging to the user. 23:52:42 [Regarding Issuance] 23:52:54 Lee: There might be multiple ways to get a credential into a wallet. 23:53:16 ...e.g., banking apps could support creation and then they could act as wallets. 23:53:22 Gerhard has joined #wpwg 23:53:26 q+ 23:53:43 ...you could a imagine a "save my boarding pass" at the end of a flight reservation flow and create a credential into the wallet 23:53:53 ack Gerhard 23:54:43 Gerhard: Regarding the mockup. In this case, as a site I am saying "You need to share your information with me". How do we know that there's integrity in the sharing and not just social engineering. 23:54:51 ....are there ways to limit reuse? 23:55:02 ...or provide proof about how a credential is used. 23:55:19 JohnBradley: We are coming at this from the perspective of European EID wallets. 23:55:36 ...they have strong views about what information is released and to who. 23:55:51 ...in principle whoever issued the payment instrument would provide rules for the wallet to follow. 23:56:11 ...so it's not entirely different from the sorts of rules for situations where you present passport information. 23:56:31 ...this work isn't entirely contained in the credentials API; a lot is happening in OpenID for VP. 23:56:48 ..some people think that any credential should be used to sign arbitrary information (though some might think that's a bad thing). 23:57:12 ...should signing be attached to some credential types, so the wallet can have specific UX for what gets presented and transaction binding information 23:57:32 Gerhard: I'm hearing that the verifier and issuer would be synched up before a credential can be requested. 23:57:45 JohnB: I imagine it be much like existing acquirer certifications 23:58:12 ...I think that's an advantage of moving to verifiable credentials model. There are enforcement points that don't exist in the case of WebAuthn 23:58:17 q? 23:58:56 Lee: You can issue credentials with "create"; these credential formats will mostly provide for device binding. 23:59:22 ...another feature: there can be lifecycle management for credentials, with some wallet/issuer dialogs 23:59:27 q+ 23:59:29 ...they can be updated, for example or revoked. 23:59:43 ...e.g., "over 18" changes on your birthday.