W3C

Web Payments Working Group

05 June 2025

Attendees

Present
Albert Schibani (Capital One), Arman Aygen (EMVCo), Ben Kelly (Meta), Bjorn Hjelm (Yubico), David Benoit, Doug Fisher (Visa), Ehsan Toreini (Samsung), Fahad Saleem (Mastercard), Gerhard Oosthuizen (Entersekt), Henna Kapur (Visa), Ian Jacobs (W3C), John Bradley (Yubico), Jorge Vargas (Discover), Kenneth Diaz (Entersekt), Nick Telford-Reed, Rogerio Matsui (Rakuten), Rouslan Solomakhin (Google), Ryan Watkins (Mastercard), Sami Tikkala (Visa), Sharanya Chandrasekaran (PayPal), Slobodan Pejic (Google), Steve Cole (MAG), Sue Koomen (American Express), Takashi Minamii (JCB), Tomasz Blachowicz (Mastercard)
Regrets
-
Chair
Ian
Scribe
Ian

Meeting minutes

Chartering update

Ian: Today we started AC review of the proposed WPWG charter (for four weeks)
… please reply (or have your AC Rep reply) to the Cal for Review.

SPC updates

(We reviewed some SPC issues and pull requests.)

Ian: At the 22 May meeting we asked a question about whether a passkey created without the payment extension could be upgraded to have it. Any updates on whether passkeys can be upgraded? (Also, I raised issue 299 to capture the question that prompted discussion about upgrading credentials: if we can't upgrade credentials, should we create a BBK for every passkey in case the RP wants to use that passkey for payments even if created for login?)

Rouslan: No updates yet, still investigating.

(No reactions to issue 300)

Ian: How close are we to merging pull request 286?

Slobodan: Close. I still need one internal review
… should be done by next week

Ian: How close are we do merging pull request 296?

Slobodan: That one can be merged after we've merged 286.

Ian: Any implementations changed based on the changing of the specification for BBK?

Slobodan: No

(At this point John Bradley arrived in the meeting and so we asked him the question about updgrading passkeys with the payment extension.)

Ian: John, can we upgrade a passkey to add the payment extension?

John: If the Web Authentication WG had wanted to do SPK (a general-purpose precursor to BBKs), it would have done it.

Ian: Yes, but the difference is that the BBK is only available through SPC.

John: You'd have to do a trust on first use of the supplemental credential (the BBK).
… a goal originally was to be able to use an authentication credential that a bank created as a payment credential

John: You have to trust the device the first time you see it

John: WebAuthn does have the CTAP bit which can be set
… it might be possible for some browsers to return that.
… people are going to have to figure out how to do step-up across devices.
… and cross-platform
… people are going to have to figure out what to do for step-up anyway.
… (CTAP 2.2 supports cross-origin bit)

Ian: What is status of new SPC UX (which we've seen recently in mockups)?

Slobodan: Still in development

SPC and Roaming Authenticators

John: Where are we with roaming authenticator support in SPC?

Ian: SPC does not yet support roaming authenticators, though it remains our goal to do so. When we last chatted with the WebAuthn WG during TPAC 2024 we asked about the state of WebAuthn UX around roaming authenticators. You have previously mentioned ideas for caching the existence of credentials, which would allow the browser to detect a roaming authenticator having a relevant credential and open the SPC transaction dialog (assuming some prior prompt to plug in the roaming authenticator).

John: In CTAP 2.2 we have caching of credentials. I am checking with Nina Satragno on implementation. She could use a signal that that would be useful for SPC. Right now the reason for doing it is for autofill.

Ian: Is caching done at browser level or operating system level?

John: Depends on implementation. Sometimes one sometimes the other. It's complicated

Ian: Is the bit "widely available"?

John: Once 2.2. authenticators ship, yes. Not yet widely publicly available...waiting for authenticator dissemination

NickTR: So if the browser has seen a passkey on a roaming authenticator previously, will there be a prompt to insert the authenticator?

John: Yes, that's the idea. That UX hasn't been developed yet.

ACTION: Ian to ping Nina Satragno at Chrome to mention SPC and roaming authenticators

John: On platforms that support this feature...I assume the goal is to support pluggable passkey providers.

(Discussion of passing CTAP bit to browser for pluggable passkey providers)

(We discuss some implementation details of information sharing between OS and browser)

Chrome SPC on iOS

Rouslan: We are investigating polyfill on Webkit for SPC

John: Back to the question of the CTAP bit: for Chrome on iOS, would the bit be passed by iOS so you could use those stored credentials?

Rouslan: On iOS would probably use the Chrome WebAuthn passkey implementation and would probably use the secure enclave API for storage.

John: The question will be whether the CTAP bit is passed through when a credential is synched between android and iOS

Rouslan: Does Chrome Android support passkeys from 3p providers?

(Scribe missed the discussion about cross-platform synching)

(We have discussion about BBKs bound to stored passkeys from 3p providers)

ACTION: Rouslan to find out more about using pluggable passkeys with SPC on Android

JohN: If we can get CTAP into 3p passkey providers on one platform, we need to get it out of them on other platforms

ACTION: Ian to request time on WebAuthn WG agenda to talk about the (1) CTAP bit synching across platforms and (2) any issues around adding the CTAP 2.2 features / security keys to be used with SPC

John: Suggest several weeks advance notice of that agenda

Payment Request in WebViews on Android

Rouslan: We shipped payment request on Android WebView (see Android documentation).
… we've been in contact with merchants, payment applications

John: Does that mean WebAuth generic will work in WebAuthn?

Rousan: Merchant chooses with payment application they want via PR API
… but we can't do SPC in WebView

(Some discussion about whether WebAuthn works in web views; according to Android documentation it does.)

Next meeting

19 June

Summary of action items

  1. Ian to ping Nina Satragno at Chrome to mention SPC and roaming authenticators
  2. Rouslan to find out more about using pluggable passkeys with SPC on Android
  3. Ian to request time on WebAuthn WG agenda to talk about the (1) CTAP bit synching across platforms and (2) any issues around adding the CTAP 2.2 features / security keys to be used with SPC
Minutes manually created (not a transcript), formatted by scribe.perl version 244 (Thu Feb 27 01:23:09 2025 UTC).