13:54:20 RRSAgent has joined #wpwg 13:54:24 logging to https://www.w3.org/2025/07/31-wpwg-irc 13:54:24 Meeting: Web Payments Working Group 13:54:38 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20250731 13:54:41 Chair: Ian 13:54:43 Scribe: Ian 14:00:00 KaRa has joined #WPWG 14:00:20 benoit has joined #wpwg 14:00:56 jpm-block has joined #wpwg 14:01:10 present+ Kenneth_Diaz 14:01:13 present+ Fahas_Saleem 14:01:22 present+ Jean-Luc_di_Manno 14:01:23 present+ 14:01:27 present+ Sami_Tikkala 14:01:30 present+ David_Benoit 14:01:38 present+ Jean-Pablo_Marzetti 14:01:40 present+ Ramesh 14:01:46 present- Ramesh 14:01:51 present+ Kavya_Ramesh 14:01:55 present+ Gustavo_Kok 14:02:03 present+ Steve_Cole 14:02:15 present+ Rogerio_Matsui 14:02:19 present+ Jinho_Bang 14:02:23 present+ Stephen_McGruer 14:02:24 present+ Bjorn_Hjelm 14:02:26 present+ Darwin_Yang 14:02:28 present+ Ryan_Watkins 14:02:50 present+ Gerhard_Oosthuizen 14:03:14 present+ Ben_Kelly 14:03:51 JeanLuc has joined #WPWG 14:04:05 present+ Dan_Pelegero 14:04:48 Steve_C has joined #wpwg 14:04:57 Topic: Leveraging FIDO User Verification Index (UVI) as a Cross-Browser PSD2 "Possession Factor" for Passkeys 14:05:02 https://github.com/w3c/secure-payment-confirmation/issues/306 14:05:25 Jean-Luc: Can we use the UVI of WebAuthn to add a trust signal to passkeys? 14:05:45 -> https://www.w3.org/2025/Talks/fime-uviuvm-20250731.pdf Jean-Luc's slides 14:06:12 Jean-Luc: There are three European drivers in my view: 14:06:31 * eIDAS 14:06:34 * PSD2/SCA 14:06:37 * PSD3 14:07:01 Jean-Luc: SCA is not just for payments, but other payment-related actions like releasing sensitive information or accessing an account 14:07:27 ...eIDAS is for mid-2027, and the final ARF in Autumn 2026 14:07:55 ...and PSD3 will include additional guidance against fraud protection to demonstrate that a transaction was properly authenticated 14:08:37 ...PSD3 also emphasizes accessibility and inclusion 14:08:56 present+ Vasilii_Trofimchuk 14:09:00 present+ Michael_Horne 14:09:07 present+ Henna_Kapur 14:09:15 present+ Ehsan_Toreini 14:09:23 present+ Arman_Aygen 14:10:08 Ehsan has joined #wpwg 14:10:19 Jean-Luc: EBA clarified in 2019 what constitutes a possession factor: 14:10:23 * Unique 14:10:25 * Bound to device 14:10:28 * Securely stored 14:10:37 * Involved dynamic validation 14:10:59 Jean-Luc: So synched passkeys appear to comply (and what we've worked on BBKs in SPC) 14:11:15 ...there are also broader fraud and regulatory requirements for banks: 14:11:22 * account takeover and phishing defense 14:11:33 * Friendly fraud protection 14:11:37 * AML and KYC 14:11:51 * Identification and authentication method requirements 14:11:54 Rene has joined #wpwg 14:11:54 * Fraud monitoring and audit logs 14:12:14 present+ Rene_Leveille 14:13:19 Jean-Luc: There will likely be a need to know what authentication mechanism was used (and whether complies with internal policies) 14:13:34 (On FIDO UVI) 14:13:45 present+ Albert_Schibani 14:14:12 Jean-Luc: The WebAuthn spec indicated that UVI was introduced for the detection and prevention of "friendly fraud" 14:14:33 ...with each biometric (e.g., fingerprint) there is a unique UVI 14:15:14 ...the UVI is a combination of biometric data + unique id + non-resettable counter 14:15:18 Gerhard has joined #wpwg 14:15:23 q+ 14:17:17 Jean-Luc: The UVI is signed (in the same way that SPC data is signed). It becomes interesting for payments because it looks like a device-binding signal in the assertion 14:17:31 ack Ger 14:18:22 Gerhard: The definition speaks strongly to biometric. Is UVI only applied in case of biometric? 14:18:24 Jean-Luc: I don't know 14:19:13 Jean-Luc: UVI was an extension in WebAuthn L1 but was removed in L2. 14:19:23 ...my proposal is to reintroduce into L3 14:20:35 ...could be introduced into SPC as a default extension. 14:20:50 ...could complement BBK 14:21:08 ...could complement digital wallet 14:22:08 Ian: A path could be: 14:22:11 https://github.com/w3c/webauthn/issues/1386 seems to be the issue where it was removed 14:22:13 * Figure out if useful to payments 14:22:26 * If so, approach WebAuthn WG to see if they will reintegrate. 14:22:32 * If they don't want to, see if they object to adding to SPC 14:23:32 (Jean-Luc summarizes how UVI looks to fulfill the various EU regulation requirements about device binding, dynamic linking, 2FA, etc.) 14:24:21 q+ 14:24:22 Gerhard: The WebAuthn WG removed it in L2. Do we know why? 14:24:59 Henna: Yes, good question. Do we have any implementations of this from L1 days? 14:25:09 ack smcgruer_[EST] 14:25:37 smcgruer_[EST]: See WebAuthn issue 1386 (where more extensions were removed). The main reason was "never implemented by anyone." 14:26:08 Roger has joined #wpwg 14:26:19 ...I would strongly suspect that since this arguably equivalent to device-binding, you'd run into the same resistance encountered with DPK and SPK 14:27:20 present+ Sue_Koomen 14:28:03 Jean-Luc: With respect to PSD3, there are upcoming new requirements. 14:28:45 ...independence of SCA factors, non-repudiation, privacy protection, etc. 14:31:12 Jean-Luc: So the reintroduction is to help address requirements that are coming up. 14:31:39 ...paths: (1) reintroduce in WebAuthn L3 (2) extension on by default in SPC 14:32:28 q+ 14:32:51 Ian: Should we enhance BBKs with other cool features you see in UVI? 14:33:05 Jean-Luc: May be useful as a complement to BBK to get more broad adoption 14:33:20 ...from my POV it might be interesting for banks to get more signals 14:33:37 ack smcgruer_[EST] 14:34:51 smcgruer_[EST]: I would love it if authenticators adopted features to meet payments regulatory requirements. Maybe we need to lean more on WebAuthn as an industry. 14:36:01 Henna: It's worth a shot to approach the WebAuthn Wg. 14:36:36 ...make that case that this is needed for any payment authentication 14:36:57 Ian: How do you see the requirements articulated here intersecting with trust signals work? 14:37:27 Henna: Can some of these requirements be added on top of BBK? 14:38:03 Henna: I don't see the JL requirements intersecting with the trust signals work 14:38:17 q+ 14:39:16 ack smcgruer_[EST] 14:39:41 smcgruer_[EST]: We are interested and willing to figure out what extra data could be provided via BBKs. E.g., the question has been whether to attest the BBKs. 14:40:09 ...the question of "which method of authentication" may not be data available to the browser. I think platform authenticators don't provide this info (and I don't know about via CTAP) 14:40:20 ...so I don't know that the browser has that info. 14:40:47 Henna: We could see if UVI/UVM requests could be made in a high-assurance login context instead of a payment context. 14:41:02 ...eIDAS says there needs to be pseudonymous authentication and passkeys are the way to do it. 14:41:11 ...do we need this level of granularity for that login? 14:41:28 ...so could we make this a story about some login use cases as well 14:41:33 present+ Sharanya 14:41:37 Jean-Luc: +1 to Henna's point 14:42:02 +1 to Henna as well 14:43:34 Ian: We have a joint meeting planned at TPAC. Should we do this in person there or sooner? 14:43:37 Henna: Sooner 14:43:53 ...maybe positioning is "high assurance login" at this point to get full attention 14:43:58 ...and map to eIDAS 14:44:01 +1 again to Henna for both timing + the framing 14:44:59 TallTed has joined #wpwg 14:45:02 ACTION: Jean-Luc to revise presentation to focus on high assurance login use case driven by eIDAS, to use as basis of a joint meeting 14:45:10 RRSAGENT, make minutes 14:45:11 I have made the request to generate https://www.w3.org/2025/07/31-wpwg-minutes.html Ian 14:45:20 Topic: Non-normative UX guidelines for implementors and integrators 14:45:54 smcgruer_[EST]: We've started work on UX improvements on desktop (in addition to mobile) 14:46:25 ...we see value in providing guidelines related to UX. These guidelines would be non-normative UX guidelines. 14:46:47 ...we'd like community-driven good practices 14:47:16 -> https://github.com/w3c/secure-payment-confirmation/issues/309 GitHub issue on this 14:48:35 -> https://github.com/w3c/secure-payment-confirmation/issues/309#issuecomment-3137413027 What Chrome is doing today 14:55:49 Bjorn: It will be hard to give UX feedback if I don't have anything to share internally. 14:55:55 smcgruer_[EST]: We're working on non-branded mockups 14:56:32 Ian: What is timeframe for that? 14:56:41 https://rsolomakhin.github.io/pr/spc-payment-entities-logos/ 14:57:03 smcgruer_[EST]: You can use that to create your own mockups as an FYI 14:57:41 ACTION: smcgruer_[EST] to share mockups without specific logos at an upcoming meeting 14:58:52 Ian: Any editor volunteers? 14:59:03 Ian: Can we make this just a markdown doc in the SPC repo? 14:59:36 +1 to markdown doc 15:00:03 ACTION: smcgruer_[EST] to move v1 of their text into a markdown doc in the repo 15:00:29 Topic: Chartering 15:00:33 https://lists.w3.org/Archives/Public/public-payments-wg/2025Jul/0008.html 15:02:32 ...see also TAG request for conversation on payment link type in HTML https://github.com/w3ctag/design-reviews/issues/1015#issuecomment-3130482769 15:02:42 ...that's part of our recharter so moving slightly to the front burner 15:02:45 Topic: Next meeting 15:02:47 14 August 15:02:55 RRSAGENT, make minutes 15:02:56 I have made the request to generate https://www.w3.org/2025/07/31-wpwg-minutes.html Ian 15:02:58 RRSAGENT, set logs public 17:04:38 Zakim has left #wpwg