Meeting minutes
SPC updates
Jonathan: As part of fostering adoption of FIDO we've been looking into FIDO for payments.
… we know that the payments use case is different than the login use case (different requirements)
… SPC is a solution that addresses some of our requirements for payment authentication
… we wanted to raise awareness about SPC
… and FIDO for authentication
(Jonathan walks through the document)
Jonathan: In the intro of the paper we talk about FIDO for payments at a high level, and replacing insecure passwords with convenient authentication.
… then we talk about the benefits of SPC on top of FIDO
… and we say a bit about ongoing work on SPC to improve the UX and security of the transactions
… under benefits we talk about (1) consistency of UX (2) features that support compliance (3) security improvements (4) cross-origin authentication UX (no redirect)
… under use cases we talk about two main use cases: (1) bank is the relying party (who creates the passkeys) (2) payment scheme is the relying party
Jonathan: We talk at the end about future enhancements (fallback UX, logos, browser-based key)
… we include the UX that was featured in POC's last summer (and for which we received good feedback)
Ian: Delegated auth use case?
… should that be covered (along with reference to FIDO White Paper on input to 3DS)?
Jonathan: I don't think it would significantly change the description of SPC benefits.
… the use cases we emphasized are the ones that we think are most being implemented.
<Zakim> nicktr, you wanted to ask about SPC on chrome on iOS 17.4+ in the EU
nicktr: Thanks to the FIDO team that developed the paper. As you were looking at "availability" there's another possibility in Europe of support on iOS. Is SPC supported yet in Chrome on iOS?
smcgruer_[EST]: Not at this time. Chrome on iOS in Europe still same engine under the hood.
Ian: Any initial response to the publication?
Jonathan: Too soon
… within FIDO we did get feedback during the review period.
Status of BBK implementation
Slobodan: We have made BBK available in Canary behind a flag.
<smcgruer_[EST]> https://
smcgruer_[EST]: We have an initial version on Chrome for Android using the secure element.
… the browser bound key is created when the passkey is created
… if the browser bound key is cleared without the passkey is not clear, then it should be recreated at authentication time (but it is not yet implemented; should be soon)
Rene: Is the BBK doing a DPK thing?
smcgruer_[EST]: It is browser-bound rather than device bound.
Jonathan: We want this feature to not have to use cookies
<smcgruer_[EST]> w3c/
Rene: We are trying to find a solution in FIDO for filling the gaps
smcgruer_[EST]: We think it's complete enough for people to start trying out.
… our next steps are for people to try this out.
… and we will run this by other internal teams
… there are interesting questions still about algorithm selection or key rotation, and we've made initial choices
… we have focused on Android for now. Some aspects were easy and we also heard support for this approach from partners. But are expecting to extend to other platforms.
Ian: How will spec updates happen?
smcgruer_[EST]: That will flow from feedback phase and internal feedback.
Berlin Group chat
Ian: We have a chat with them on 24 about SPC. Also digital wallets. Any suggestions for the agenda?
Nick: Request to Pay API. I've been trying to read about this API
30 January