23:59:42 RRSAgent has joined #wpwg 23:59:47 logging to https://www.w3.org/2025/11/09-wpwg-irc 23:59:47 Meeting: Web Payments WG 23:59:51 Agenda: https://github.com/w3c/webpayments/wiki/Agenda%E2%80%90TPAC2025 23:59:54 Chair: Nick 23:59:56 Scribe: Ian 00:00:02 zakim, this meeting spans midnight 00:00:03 I don't understand 'this meeting spans midnight', Ian 00:00:16 Rrsagent, this meeting spans midnight 00:00:21 present+ nick_s 00:00:32 present+ 00:00:36 present+ SMC 00:00:43 present+ JonathanG 00:00:46 present+ SamiT 00:00:49 present+ Gustavo 00:00:50 present+ 00:00:53 present+ NickTR 00:00:55 present+ Gerhards 00:00:59 present+ Tomasz 00:01:02 present+ Vasilii 00:01:14 present+ David_Benoit 00:01:20 present+ Rick-_Byers 00:01:28 present+ Irene_chang 00:01:39 present+ Daniel_Wyckoff 00:01:56 benoit has joined #wpwg 00:01:56 present+ Mike_Horne 00:02:02 present+ Pavan 00:05:42 present+ Keith_Freeman 00:05:47 present+ John_Bradley 00:05:50 present+ Morimori+ 00:05:55 present+ Takashisan 00:06:00 present+ Nishant 00:06:28 Topic: Introduction and Welcome 00:06:30 -> https://docs.google.com/presentation/d/11e3agvUiK1r8Z1_yhL1XSt44kTHZBQz_pfyS1flJZWU/edit?usp=sharing Nick's slides 00:06:51 Tomasz has joined #wpwg 00:06:57 GO has joined #wpwg 00:07:00 DP has joined #wpwg 00:07:03 present 00:07:03 present+ 00:07:03 present+ 00:07:03 present+ 00:07:04 present+ Dan_Pelegero 00:07:06 present+ 00:07:06 present+ 00:07:19 Jonathan has joined #wpwg 00:07:22 raginpirate has joined #wpwg 00:07:23 jcayzac has joined #wpwg 00:07:29 vasilii has joined #wpwg 00:07:29 jcayzac has joined #wpwg 00:07:29 raginpirate has joined #wpwg 00:07:29 Jonathan has joined #wpwg 00:07:29 DP has joined #wpwg 00:07:29 GO has joined #wpwg 00:07:29 Tomasz has joined #wpwg 00:07:29 wanderview has joined #wpwg 00:08:30 NIck: Please ask questions and enjoy hallway conversations 00:08:34 I have made the request to generate https://www.w3.org/2025/11/09-wpwg-minutes.html Ian 00:08:39 nk has joined #wpwg 00:08:39 taki has joined #wpwg 00:08:39 mikehorne has joined #wpwg 00:08:39 zgroza has joined #wpwg 00:08:39 Arman has joined #wpwg 00:08:39 ve7jtb has joined #wpwg 00:08:39 Nishant_FIDO has joined #wpwg 00:08:39 timcappalli has joined #wpwg 00:08:39 nakjo has joined #wpwg 00:08:39 vasilii has joined #wpwg 00:08:39 jcayzac has joined #wpwg 00:08:39 raginpirate has joined #wpwg 00:08:39 Jonathan has joined #wpwg 00:08:39 DP has joined #wpwg 00:08:39 GO has joined #wpwg 00:08:39 Tomasz has joined #wpwg 00:08:39 wanderview has joined #wpwg 00:08:45 present+ 00:09:13 present+ Shuji_Nomura 00:09:19 present+ Sharanya 00:09:58 Tomasz has joined #wpwg 00:09:58 padmk has joined #wpwg 00:09:58 Helen has joined #wpwg 00:09:58 rpn-stripe has joined #wpwg 00:09:58 nk has joined #wpwg 00:09:58 taki has joined #wpwg 00:09:58 mikehorne has joined #wpwg 00:09:58 zgroza has joined #wpwg 00:09:58 Arman has joined #wpwg 00:09:58 ve7jtb has joined #wpwg 00:09:58 timcappalli has joined #wpwg 00:09:58 nakjo has joined #wpwg 00:09:58 vasilii has joined #wpwg 00:09:58 jcayzac has joined #wpwg 00:09:58 Jonathan has joined #wpwg 00:09:58 DP has joined #wpwg 00:09:58 GO has joined #wpwg 00:09:58 wanderview has joined #wpwg 00:11:08 Tomasz has joined #wpwg 00:11:08 padmk has joined #wpwg 00:11:08 Helen has joined #wpwg 00:11:08 rpn-stripe has joined #wpwg 00:11:08 nk has joined #wpwg 00:11:08 taki has joined #wpwg 00:11:08 mikehorne has joined #wpwg 00:11:08 zgroza has joined #wpwg 00:11:08 Arman has joined #wpwg 00:11:08 ve7jtb has joined #wpwg 00:11:08 timcappalli has joined #wpwg 00:11:08 nakjo has joined #wpwg 00:11:08 vasilii has joined #wpwg 00:11:08 jcayzac has joined #wpwg 00:11:08 Jonathan has joined #wpwg 00:11:08 DP has joined #wpwg 00:11:08 GO has joined #wpwg 00:11:08 wanderview has joined #wpwg 00:12:11 martin_alvarez has joined #wpwg 00:12:11 Tomasz has joined #wpwg 00:12:11 padmk has joined #wpwg 00:12:11 Helen has joined #wpwg 00:12:11 rpn-stripe has joined #wpwg 00:12:11 nk has joined #wpwg 00:12:11 taki has joined #wpwg 00:12:11 mikehorne has joined #wpwg 00:12:11 zgroza has joined #wpwg 00:12:11 Arman has joined #wpwg 00:12:11 ve7jtb has joined #wpwg 00:12:11 timcappalli has joined #wpwg 00:12:11 nakjo has joined #wpwg 00:12:11 vasilii has joined #wpwg 00:12:11 jcayzac has joined #wpwg 00:12:11 Jonathan has joined #wpwg 00:12:11 DP has joined #wpwg 00:12:11 GO has joined #wpwg 00:12:11 wanderview has joined #wpwg 00:13:32 gkok has joined #wpwg 00:13:32 leecam has joined #wpwg 00:13:32 nournabil has joined #wpwg 00:13:32 alexs has joined #wpwg 00:13:32 martin_alvarez has joined #wpwg 00:13:32 Tomasz has joined #wpwg 00:13:32 padmk has joined #wpwg 00:13:32 Helen has joined #wpwg 00:13:32 rpn-stripe has joined #wpwg 00:13:32 nk has joined #wpwg 00:13:32 taki has joined #wpwg 00:13:32 mikehorne has joined #wpwg 00:13:32 zgroza has joined #wpwg 00:13:32 ve7jtb has joined #wpwg 00:13:32 timcappalli has joined #wpwg 00:13:32 nakjo has joined #wpwg 00:13:32 jcayzac has joined #wpwg 00:13:32 Jonathan has joined #wpwg 00:13:32 DP has joined #wpwg 00:13:32 GO has joined #wpwg 00:13:32 wanderview has joined #wpwg 00:13:45 I have made the request to generate https://www.w3.org/2025/11/09-wpwg-minutes.html Ian 00:14:40 Junhui has joined #wpwg 00:14:40 gkok has joined #wpwg 00:14:40 leecam has joined #wpwg 00:14:40 nournabil has joined #wpwg 00:14:40 alexs has joined #wpwg 00:14:40 martin_alvarez has joined #wpwg 00:14:40 Tomasz has joined #wpwg 00:14:40 padmk has joined #wpwg 00:14:40 Helen has joined #wpwg 00:14:40 rpn-stripe has joined #wpwg 00:14:40 nk has joined #wpwg 00:14:40 taki has joined #wpwg 00:14:40 mikehorne has joined #wpwg 00:14:40 zgroza has joined #wpwg 00:14:40 ve7jtb has joined #wpwg 00:14:40 timcappalli has joined #wpwg 00:14:40 nakjo has joined #wpwg 00:14:40 jcayzac has joined #wpwg 00:14:40 Jonathan has joined #wpwg 00:14:40 DP has joined #wpwg 00:14:40 GO has joined #wpwg 00:14:40 wanderview has joined #wpwg 00:14:47 q+ minor objection, we have multiple browser vendors shipping Payment Handler, but only one browser engine. 00:14:53 q+ to note minor objection, we have multiple browser vendors shipping Payment Handler, but only one browser engine. 00:15:54 jcayzac4 has joined #wpwg 00:15:54 Junhui has joined #wpwg 00:15:54 gkok has joined #wpwg 00:15:54 leecam has joined #wpwg 00:15:54 nournabil has joined #wpwg 00:15:54 alexs has joined #wpwg 00:15:54 martin_alvarez has joined #wpwg 00:15:54 Tomasz has joined #wpwg 00:15:54 padmk has joined #wpwg 00:15:54 Helen has joined #wpwg 00:15:54 rpn-stripe has joined #wpwg 00:15:54 nk has joined #wpwg 00:15:54 taki has joined #wpwg 00:15:54 mikehorne has joined #wpwg 00:15:54 zgroza has joined #wpwg 00:15:54 ve7jtb has joined #wpwg 00:15:54 timcappalli has joined #wpwg 00:15:54 nakjo has joined #wpwg 00:15:54 Jonathan has joined #wpwg 00:15:54 DP has joined #wpwg 00:15:54 GO has joined #wpwg 00:15:54 wanderview has joined #wpwg 00:16:30 q- 00:17:03 [Stephen points out that there is one browser engine that implements PH APH, but multiple browsers ship it] 00:17:11 s/APH/API 00:17:22 jcayzac4 has joined #wpwg 00:17:22 Junhui has joined #wpwg 00:17:22 gkok has joined #wpwg 00:17:22 leecam has joined #wpwg 00:17:22 nournabil has joined #wpwg 00:17:22 alexs has joined #wpwg 00:17:22 martin_alvarez has joined #wpwg 00:17:22 Tomasz has joined #wpwg 00:17:22 padmk has joined #wpwg 00:17:22 Helen has joined #wpwg 00:17:22 rpn-stripe has joined #wpwg 00:17:22 nk has joined #wpwg 00:17:22 taki has joined #wpwg 00:17:22 mikehorne has joined #wpwg 00:17:22 zgroza has joined #wpwg 00:17:22 ve7jtb has joined #wpwg 00:17:22 timcappalli has joined #wpwg 00:17:22 nakjo has joined #wpwg 00:17:22 Jonathan has joined #wpwg 00:17:22 DP has joined #wpwg 00:17:22 GO has joined #wpwg 00:17:22 wanderview has joined #wpwg 00:18:09 benoit_ has joined #wpwg 00:18:41 present+ Henna 00:19:02 We don't *have* to talk about agentic, we could all just go for a long lunch 00:19:04 jcayzac4 has joined #wpwg 00:19:04 Junhui has joined #wpwg 00:19:04 gkok has joined #wpwg 00:19:04 leecam has joined #wpwg 00:19:04 nournabil has joined #wpwg 00:19:04 alexs has joined #wpwg 00:19:04 martin_alvarez has joined #wpwg 00:19:04 Tomasz has joined #wpwg 00:19:04 padmk has joined #wpwg 00:19:04 Helen has joined #wpwg 00:19:04 rpn-stripe has joined #wpwg 00:19:04 nk has joined #wpwg 00:19:04 mikehorne has joined #wpwg 00:19:04 zgroza has joined #wpwg 00:19:04 ve7jtb has joined #wpwg 00:19:04 timcappalli has joined #wpwg 00:19:04 nakjo has joined #wpwg 00:19:04 Jonathan has joined #wpwg 00:19:04 DP has joined #wpwg 00:19:04 GO has joined #wpwg 00:19:04 wanderview has joined #wpwg 00:20:02 present+ 00:20:09 present+ Kavya 00:20:36 can we take 2-4 minutes to rapid fire (name/company) do intros around the room since we'll be here all day together :) 00:21:20 q? 00:22:18 [Around the table] 00:22:21 present+ Armen 00:22:31 present+ Jason 00:22:48 present+ Ashwany 00:23:15 present+ Rogerio 00:23:20 present+ Jorge 00:23:40 present+ Ciop 00:23:46 present+ Cip 00:23:48 present+ Roberto 00:23:52 present+ Cathy 00:24:12 present+ Albert 00:24:12 present+ Sameer 00:24:18 present+ Lee_Campbell 00:24:20 present+ Helen 00:24:37 present+ Julien 00:24:48 present+ Darwin 00:25:00 present+ John_Bradley 00:25:21 present+ Martin_Huawei 00:25:46 vasilii has joined #wpwg 00:26:10 Topic: SPC pilots and experimentation 00:26:16 [Sami presents for Visa] 00:27:00 Sami: We did an SPC study looking at the BBK and UX additions to SPC on Android. 00:27:55 Kavya has joined #wpwg 00:28:35 Vanitha has joined #wpwg 00:28:39 Sami: This was a controlled study (not a large scale study) 00:29:07 Sami: our first focus was to look at BBKs. 00:29:13 ...and see how the new UX works. 00:29:43 ...it was too much of a hassle to do an A/B study 00:29:54 ...just jumped to people's reactions with the new UX 00:30:34 ...we did not look at the "authenticate another way" feature 00:31:23 ...we 6 users from 4 countries 00:31:27 q? 00:31:38 ...the participants had 2 devices 00:31:45 Gerhard: Who was the RP? 00:32:18 Sami: In our experiment issuer was RP over 3DS 2.3.1 rails 00:32:55 Sami: in our flow we ID&V the user, then ask if they want to enroll in SPC. 00:33:00 junhui has joined #wpwg 00:33:10 present+ Junhui 00:33:12 ...then they used a second device (where passkey is synched by the BBK is not) 00:33:47 Gerhard; how did you detect that passkey synched on second device? 00:33:58 Sami: Try and fail 00:35:37 SameerT has joined #wpwg 00:35:37 [Regarding synching to second device] 00:35:50 Sami: We struggled a bit with the participants on the second device. 00:36:08 ...e.g., people had different accounts, a source of friction 00:36:24 (can we get these slides linked to the agenda at some point? Thanks!) 00:36:45 Padmanabhan has joined #wpwg 00:36:48 Sami: On second device without BBK, we use an OTP to verify the user to trust the BBK. 00:37:03 ...on the new device 00:37:15 Sami: the flow worked very well if you have all the bits and pieces in place 00:37:25 junhui has joined #wpwg 00:37:29 Pavan has joined #wpwg 00:37:36 does SPC work without google signin? 00:37:51 Gustavo: Did you provide instruction on what SPC means? 00:38:03 Sami: no, we did not talk to them about what SPC means 00:38:08 Sharanya has joined #wpwg 00:38:32 [Note: SPC does not require Google sign-in, but passkeys are synched through Google sign-in] 00:38:47 Sami: We got very positive feedback on the user journey: the speed, understanding of the flow 00:38:51 raginpirate has joined #wpwg 00:39:12 ...on a scale of 1-5 (5 being positive), most of the feedback was on the very positive end of the scale. 00:39:24 q+ 00:39:37 Gerhard: Was there any passkey messaging? 00:39:46 Sami: No, only ever payment context 00:40:05 Dan: Did you test unhappy path? 00:40:39 Sami: We encountered issues that did not enable users to proceed in some cases. 00:40:52 junhui has joined #wpwg 00:40:57 Gustavo: When you are rebinding the new device, does that need to follow the same two factors? 00:41:15 vasilii has joined #wpwg 00:41:42 q+ 00:41:46 ack gkok 00:41:54 ack vas 00:42:37 Sami: Not all participants understood the purpose of a passkey at enrollment 00:42:49 ...lots of messaging and education is likely necessary 00:43:32 Sami: Most participants missed branding on the SPC passkey authentication screen 00:43:58 ...light mode and dark mode ... we need to communicate to issuers 00:44:19 Sami: people trusted the UI 00:44:46 Sami: When you do the second device after synching the passkeys, almost all participants guessed the step-up was for security 00:44:58 ...there was a little bit of uncertainty among the users 00:45:04 ...but they guessed it was for security 00:45:13 ...so despite confusion, response was overall positive 00:46:38 Gustavo: Do you think that there's a bias because users are recruited to doing a test? Is there an opportunity to refine the messaging like "First time you are paying with this device" 00:46:48 Gerhard has joined #wpwg 00:47:53 Sami: some surprising findings: 00:48:23 q+ 00:48:23 - disqualified participants had a few challenges that kept them rom being able to create a passkey or key the passkey from synching to theeir second device 00:48:53 ...e.g., didn't have same google account on second device 00:49:14 Sami: Another question is "how quickly do passkeys sync"? Some people did test before synching had happened. 00:49:26 ...also, if you have privacy mode on, synching doesn't happen 00:50:15 Gerhard: The mechanism that we used for base authentication (e.g., OTP) was performed in both cases. The question that comes to mind for me: would the client had seen any difference if the trial had been done without synching? For example, if they simply got a new passkey 00:50:39 TimCappali: The passkey is not necessary here. The BBK sufficient on its own. 00:50:40 +1 00:50:50 q+ 00:50:57 ack Gerhard 00:51:04 q+ 00:51:07 TimC: I'm surprised to see that the passkey is still being used. 00:51:32 Gerhard: There are multiple contexts - need MFA (Europe) and other parts of the world (where you want to get rid of OTP) 00:52:07 Gerhard: You could just issue a new passkey on the second device, it would be the same UX 00:52:18 smcgruer_[EST]: We were going to propose exactly getting rid of passkeys 00:52:18 nakjo has joined #wpwg 00:52:25 q+ 00:52:47 smcgruer_[EST]: Maybe we architect this where you can swap between passkeys or bbk only or nothing at all... 00:53:01 ...if we get rid of passkeys, life gets simpler. 00:53:08 ack nick_s 00:53:10 ack gkok 00:53:14 ack smcgruer_[EST] 00:53:31 q+ 00:53:31 leecam has joined #wpwg 00:55:52 q? 00:56:07 Sami: Quite a few participants had dark mode on. 00:56:56 nakjo has joined #wpwg 00:56:57 Sami: Strengths to build on: passkeys preferred for security, speed, reliability 00:57:06 present+ 00:57:08 ...recognizable branding reinforced trust 00:57:14 SamI: Recommencations 00:57:21 gkok has joined #wpwg 00:57:23 - strengthen standards for branding. 00:57:26 q+ 00:57:37 q- 00:57:39 - develop issuer guidelines for enrollment 00:57:49 - provide issuer guidelines for cross-device and fallback messaging 00:57:54 - coordinate on bbl availability expectations 00:58:00 s/bbl/bbk 00:58:07 q? 00:58:39 q+ 00:59:19 Sidd: Wondering whether passkey still necessary now that there are BBKs. 00:59:29 ack nicktr 01:00:01 timcappalli has joined #wpwg 01:00:08 q+ 01:00:18 smcgruer_[EST]: Please note we have a pull request on UX guidelines for SPC....PLEASE REVIEW 01:00:29 https://github.com/w3c/secure-payment-confirmation/pull/311 01:00:39 ack timcappalli 01:00:40 Tomasz9 has joined #wpwg 01:00:43 vasilii has joined #wpwg 01:00:54 timcappalli: Was there any feedback from users on "now every passkey I have is for payments"? 01:00:58 Sami: No. 01:01:10 timcappalli: We are hearing some feedback in another context. 01:01:17 ack nick_S 01:01:37 fahadMastercard has joined #wpwg 01:01:41 nick_S: In this test, these were all Android users. If you had a google pay button would they have used that instead? 01:02:06 ...a lot of the issues that are coming up here ... it feels like users already have a digital wallet (since they are Android users) 01:02:14 ...and they've already enrolled their credential. 01:02:21 q+ 01:02:25 ...what do you do for users who already have that payment credential in their wallet. 01:02:44 ...Google pay could bypass this flow entirely 01:03:08 smcgruer_[EST]: I think that conflates a few things. These users have Google accounts, but that's not the same as having a payment method enrolled in Google pay. 01:03:18 ...these users may or may not be using google pay 01:03:32 ...in the flow you mentioned, NickS, I think you are referring to SPA (from Google) 01:03:36 SPA = Secure Payment Authentication 01:03:53 q+ 01:04:00 JonathanG: You may have a card on file with a merchant and want to use the card on file 01:04:03 q- 01:04:12 q+ 01:04:20 nick_S: Should there be a way to tell with SPC whether user has a credential enrolled in another wallet? 01:04:31 JonathanG: Do you mean "use the card in the wallet"? 01:04:38 nick_S: Use it with the existing binding 01:05:00 ..if I've bound the credential, is it better for the user or the merchant to use what's bound? What's the benefit of going through another enrollment? 01:05:03 q? 01:05:19 Albert has joined #wpwg 01:05:26 DP has joined #wpwg 01:05:35 timcappalli has joined #wpwg 01:05:44 ack benoit 01:05:52 benoit: Google pay also limited by your bank signing up 01:06:05 ...whereas SPC does not require that. 01:06:06 q+ 01:06:08 ack gkok 01:06:16 q+ 01:06:20 gkok: The merchant also has to accept Google pay, but not all merchants do 01:06:29 q+ 01:06:44 Gkok:...as a merchant, I value having the card number and not just the token. 01:06:58 [We get into the PAR discussion] 01:07:41 q+ 01:07:43 nick_S: This enrollment is heavy; the findings are telling us that. 01:07:48 q- 01:08:18 zakim, close the queue 01:08:18 ok, nicktr, the speaker queue is closed 01:08:19 ...if you have an opportunity to bypass an enrollment by reusing a credential, shouldn't we allow that option (via the standard) 01:08:30 ack DP 01:08:54 DanP: PayPal has been addressing this with custom credentials API...if they already have something they can run the attestion against, then run it. 01:09:01 ack Albert 01:09:26 albert: As an issuer, I would be interested in reusing existing enrolled credential. 01:09:33 ack Gerhard 01:09:41 Gerhard: It's partly about choice, partly about the merchant. 01:10:01 ...my assumption is that merchant would have presented a variety of options (including google pay or apple path) and the user has chosen this path 01:10:15 ...to redirect the user to a wallet they did not select is not good for the user. 01:10:24 +1 to Gerhard's comment 01:11:22 leecam has joined #wpwg 01:11:39 [Mastercard findings] 01:11:42 yigu has joined #wpwg 01:11:55 zakim, open the queue 01:11:55 ok, nicktr, the speaker queue is open 01:12:02 q? 01:12:12 [Jonathan Grossar presents Mastercard findings] 01:13:29 Jonathan: Stepping back, we are seeking secure and seamless authentication. Mastercard introduced payment passkeys in late 2024 to deliver seamless MFA 01:13:41 ... we can link cards to a passkey after doing some ID&V 01:14:07 ..we want to link card to device, but only after steppe 01:14:13 s/steppe/step-up 01:14:17 lychee has joined #wpwg 01:14:41 Jonathan: We see passkeys as useful for multiple use cases (e.g., card on file, guest checkout, agentic) 01:14:52 ...needs to work on Web, native 01:15:18 ...if you use click-to-pay, that's another use case (closer to login) 01:15:32 To share my thoughts here since the queue was closed for our prior topic on wallets: I think theres something very interesting here. I believe it's very valuable for the merchant to consume the raw payment credentials when supplied, and give the buyer that choice about how they are sharing their payment credential. 01:15:32 But it could be amazing to identify if the device does have a wallet already leveraging that credential, and to share with the issuer both the raw details (what the buyer has chosen to charge with) and just authentication context from the wallet (biometric approval of a pre-tokenized credential with that issuer), without uplifting to passkey 01:15:32 generation if 3DS is required. So, focusing on solving the part of the problem about authentication, without coupling the payment credential being charged directly with it. 01:15:32 I say this with very limited knowledge in this domain though, I have more to learn. 01:16:45 JonathanG: Mastercard enabled passkeys for transaction authentication at over 1000 merchants in 2025 01:16:58 ....(we see a demo of a checkout experience on Carrefour) 01:18:00 ...when a passkey is already enrolled conversion is high 01:18:08 ...pain point is enrollment 01:18:38 ...when we do A/B testing, we see improvements based on UI changes to communicate passkey info 01:19:06 denis has joined #wpwg 01:19:15 denis has left #wpwg 01:19:30 ...other challenges are that in the payment ecosystem, authentication often happening in a 3p context (Iframe) 01:19:45 ...this creates challenges like pop-up blockers, native apps, webviws, etc....there are a lot of different merchant integration models 01:19:59 s/webviws/webviews/ 01:20:18 q+ 01:20:22 ...we also realize that all devices are not eligible (e.g., user has not set up a device unlock) 01:20:29 ack gkok 01:20:42 +q 01:20:45 gkok: Are you saying it's not worth onboarding during merchant flow? 01:20:45 Sid has joined #wpwg 01:20:58 JonathanG: User might say "not now" but it's not leading to checkout abandonment. 01:21:18 ...putting more context in place is important (e.g., bank branding) 01:21:39 ack timcappalli 01:21:51 timcappalli: Are you using feature detection APIs? 01:21:58 JonathanG: Just using the API call 01:22:06 q? 01:22:34 JonathanG: To understand whether the passkey is on this device, we have to gather (without BBK) some device info to know fi this is the same device where we created the passkey 01:22:57 JonathanG: Now that we are looking into implementing SPC, we are looking into all the user journeys 01:23:07 ve7jtb has joined #wpwg 01:23:08 ...a big improvement is cross-origin authentication. 01:23:19 ....that reduces the risk of technical errors and latency 01:23:39 ...it's also possibile to use bank passkeys...they don't need to be actively involved in the authentication process on the front end 01:23:49 ..it's a smoother process, and a strong argument for using SPC 01:23:59 ...second big improvement is addition of BBK for device binding 01:24:10 ...reduces the risk of additional identity verifications 01:25:08 Jonathan: You can see from the demo that there is no need to use the MC popup (since modal is managed by browser) 01:25:15 Jonathan: Open questions: 01:25:24 - What happens when bbk not found? 01:25:38 q+ 01:25:46 ...it might be that the merchant already knows you are not on the right device. 01:25:48 Padmanabhan has joined #wpwg 01:26:22 q? 01:26:55 Jonathan: The next issue to look up is how to avoid double step-up (SPC authentication followed by OTP) 01:27:18 martin_alvarez has joined #wpwg 01:27:28 q+ 01:27:34 JonathanG: The double authentication is giving us a lot of headaches 01:27:55 ...the second issue is you have the same passkey challenges as before (signing in with passkeys, different passkey managers) 01:28:09 q+ sidd 01:28:14 timcappalli has left #wpwg 01:28:35 Jonathan: We still want one enrollment and usable across N merchants 01:29:00 Velvizhi has joined #wpwg 01:29:11 ...if biometrics already enrolled, good to reuse it (even if not passkey) 01:29:18 q- 01:29:37 JonathanG: There might be multiple RPs in a flow (e.g., SPC credentials from network, issuer, or the merchant's PSP) 01:30:06 [We can also solve multiple RP easily if we divorce from passkeys, I believe] 01:30:56 [I am hearing a theme] 01:31:47 Jonathan: You need to allow for different integration models. 01:32:15 ...we will want to compare feedback between passkeys for payments and SPC 01:32:19 timcappalli has joined #wpwg 01:32:29 q+ 01:32:57 Jonathan: We will find out when we launch this experience. 01:32:59 ack DP 01:33:10 DP: When you say "conversion not so great" what does that mean? 01:33:25 zakim, close the queue 01:33:25 ok, nicktr, the speaker queue is closed 01:34:24 Jonathan: We will also be interested in additional use cases (e.g., recurring payments, Agentic) 01:34:26 q? 01:34:32 ack Gerhard 01:35:06 Gerhard: In the case where BBK not found...I am assuming you mean "after calling SPC" 01:35:09 vasilii has joined #wpwg 01:35:10 Tomasz: Yes 01:36:03 Gerhard: Ongoing challenge of knowing whether credential available on this device 01:36:23 takashi has joined #wpwg 01:36:46 present+ 01:37:04 Tomasz: You need access to cookies to recognize user, but it's in another context. 01:37:39 Tomasz: Remember, there are two "no BBK" use cases: passkey synched but no BBK yet, and second case is BBK won't be available since old device 01:37:48 timcappalli has joined #wpwg 01:37:49 Yasu has joined #wpwg 01:37:52 q? 01:38:42 sidd: There can be multiple layers of authentication (e.g., user authenticating to PayPal who has their own FIDO implementation)? 01:38:47 [So, not to keep going to a theme, but... if we don't use passkeys, we are also able to explore more this identification of returning users. Still within our privacy norms though! Just less requirement to align with WebAuthn, is all] 01:39:08 Ns has joined #WPWG 01:39:33 Takashi has joined #wpwg 01:39:58 [+1 for Stephen's comment] 01:40:34 Sidd: There might be one passkey for login and another for payments. 01:40:44 NickTR: That's fundamentally what a wallet does 01:40:54 RRSAGENT, make minutes 01:40:55 I have made the request to generate https://www.w3.org/2025/11/09-wpwg-minutes.html Ian 01:41:01 RRSAGENT, set logs public 01:41:56 Sidd: There is a delegation issue 01:44:07 benoit_ has joined #wpwg 01:45:25 Shuji has joined #WPWG 02:03:20 alexs has joined #wpwg 02:04:40 Pavan has joined #wpwg 02:07:17 q? 02:08:07 ack sidd 02:10:06 nick_s has joined #wpwg 02:10:37 [Stripe on SPC] 02:10:43 (Cip Blujdea presentation} 02:11:29 Cip: I'm the product manager for payment authentication at Stripe. I want to give updates on our implementation of SPC, in the UK market since 2022 02:11:53 timcappalli has joined #wpwg 02:12:10 benoit__ has joined #wpwg 02:12:16 ...Stripe is a PSP and there's a tradeoff that we think about: maximizing payments while minimizing fraud 02:12:24 ...authentication is an important level of how we do that 02:12:25 sami has joined #wpwg 02:12:38 ...SPC is of renewed interest to us, since it can improve conversation and reduce fraud 02:12:59 ...we are thinking about it outside of a 3DS context. 02:13:18 ..we also want to avoid OTPs (which are not phishing resistant) 02:13:27 ...I've been looking more into SPC lately and we're exploring more. 02:13:27 s/conversation/conversion/ 02:13:39 ...we did a pilot in 2022 with Wise. 02:13:39 ve7jtb has joined #wpwg 02:14:02 ..the user journey involved a 3DS ID&V and an option to register for SPC next time. 02:14:11 ...we saw a 7% uplift (in conversion) through SPC compared to OTP 02:14:26 ..and 4x faster checkout flow compared to traditional 3DS flow 02:14:37 Shuji has joined #WPWG 02:14:49 lychee has joined #wpwg 02:15:00 timcappalli has joined #wpwg 02:15:00 ...since then, we've increased the scale with Wise....conversion has still been higher than traditional flow but only 1% at scale compared to previously 02:15:08 ...fraud has been slightly lower than similar transactions 02:15:08 gkok has joined #wpwg 02:15:19 SameerT has joined #wpwg 02:15:21 ...we expected fraud to be even lower but we think this is due to three factors 02:15:22 q+ 02:15:30 Albert has joined #wpwg 02:15:57 junhui has joined #wpwg 02:16:12 DP has joined #wpwg 02:16:19 alex9 has joined #wpwg 02:16:21 Takashi has joined #wpwg 02:18:48 jcayzac has joined #wpwg 02:19:20 Cip: We were wondering why the results were not as good as the previous trials. 02:19:24 zakim, open the queue 02:19:24 ok, nicktr, the speaker queue is open 02:19:27 q+ 02:19:30 ...one reason is that Wise already has very good stats 02:19:37 ...we think that for other issuers there will be greater improvements. 02:19:55 ...one reason fraud has not decreased more is due to friendly fraud 02:20:01 q+ 02:20:03 q+ to talk about UK 02:20:03 vasilii has joined #wpwg 02:20:31 Cip: Another issue may be a fraudulent initial binding. 02:20:36 ...some of the challenges and learnings 02:20:38 q- 02:21:01 ..first, when it comes to scaling, the biggest blocker has been that the issuer has the responsibility to authenticate in a regulated market. 02:21:08 Shuji has joined #WPWG 02:21:17 ..that's made it more difficult to set this up with more issuers, because of onerous regulatory and compliance due diligence 02:21:26 ...this is why today we are not doing this with more issuers. 02:21:56 ...another challenge with scaling is that many merchants control their full UX and so it makes it more difficult for Stripe. Smaller merchants allow Stripe to control the experience. 02:22:03 ...we can control both the enrollment and authentication. 02:22:22 ...another challenge we've seen is with the branding: what is the cardholder going to see ? Stripe is not a cardholder facing brand. 02:22:33 ...we've had this question come up from cardholders (rarely) but also some merchants. 02:22:43 ...the cardholder may be confused about who the RP is 02:22:58 ...it's not clear what the cardholder is signing up for when creating the passkey 02:23:15 ...we've also had some merchants opt out of the flow because it does not match the UX they are trying to give their users. 02:23:16 q+ 02:23:34 ...one technical limitation we've seen: we don't know whether the device has been previously provisioned with a passkey 02:23:53 ..having said that, we are looking at further rollout because we have had good results. 02:24:00 q+ 02:24:16 ...in the UK, another issuer reached out to us for a similar experience, where 3DS flows don't work well and where there's not a bank app experience. 02:24:29 ...for example, a business bank account (user is doing corporate payment but doesn't have an app) 02:24:41 ..in this case, the issuer sees an opportunity to let user use mobile phone with SPC. 02:24:41 vasilii has joined #wpwg 02:24:44 q? 02:25:09 Cip: We think it's worth it in light of performance uplift 02:25:25 ..the other way we are thinking of expanding this is in markets where 3DS does not perform that well (e.g., US market) 02:25:28 q- 02:25:39 ...where 3DS adoption isn't as high as in Europe 02:25:40 q+ 02:25:51 ...we'd like to run a pilot on this. 02:26:42 q? 02:26:45 ack gkok 02:26:48 q+ 02:27:01 Gustavo: I'm curious about the 7% v 1% conversion. Did you dig into that? 02:27:02 nakjo has joined #wpwg 02:27:07 present+ 02:27:26 Cip: Since 2022, Wise has improved their authentication, but I don't yet have the full analysis 02:27:43 fahadMastercard has joined #wpwg 02:27:43 nicktr: I'm a UK card holder...Wise step-up experience is really good 02:27:57 NickTR: UK is a mature 3DS market; there is little drop-out generally 02:28:26 Cip: There was not much room to improve already with Wise 02:28:38 Tomasz: Some issuers in the UK have more room for improvement 02:28:39 q? 02:28:50 ack Sam 02:28:51 q- 02:29:03 Albert2 has joined #wpwg 02:29:10 gkok: If you dive deeper, would you see a difference among device types? 02:29:24 ...can you break down performance by device? 02:29:31 Cip: This is running on desktop as well 02:29:51 gkok: You should check it out...you might see better performance relatively on mobile. 02:29:54 q? 02:30:03 Sameer: Who is the RP in your scenario? 02:30:41 Yasu has joined #wpwg 02:30:49 Cip: Stripe is the RP in this experiment. 02:31:00 NickTR: Delegated auth in this case 02:31:00 q+ 02:31:30 Cip: We are still using a 3DS flow...we are telling the issuer the user has been authenticated, but there is no liability shift 02:31:45 Sameer: EMVco has defined a data set. 02:31:55 Cip: In this case we have a separate flow and relationship with Wise 02:31:59 ack DP 02:32:28 DanP: In unregulated markets, what are you thinking? 02:32:52 Cip: There would be no liability shift (since not a 3DS flow) and no mechanism to get liability shift 02:33:07 ..this would just be about Stripe having more confidence, and we know we would accept liability 02:33:08 q? 02:33:13 ack vasi 02:33:35 vasilii: Can you say more about SPC and business bank accounts? 02:33:51 Cip: It's less likely that user has bank app on phone even though they have a corporate card. 02:34:04 ...in the UK 3DS auth is majority biometric through bank app 02:34:19 ..when you are doing business banking flow, you might have to rely on SMS OTP and that's not as secure 02:34:23 ...that's the opportunity we see 02:34:38 Vasilii: How will binding happen? 02:35:03 q? 02:35:03 Cip: 3DS OTP first time; the bank can have more of an experience around it, and they can tell users to do more secure SPC 02:35:23 Albert: the merchants that ask to opt-out....was enrollment process holding up the transaction? 02:35:38 Cip: We do enrollment after successful transaction to avoid delaying transaction. 02:36:04 ...it wasn't so much a concern from merchants about performance; more that merchants wanted full control. But it was a rare situation where they opted-out 02:36:33 Albert: You said fraud rate was about the same. Did the use of passkeys give Wise more confidence to doing things downstream (e.g., handling disputes) 02:36:41 Cip: I don't know 02:36:53 gkok: Provisioning fraud more concerning 02:38:09 q? 02:38:13 ack Albert 02:38:38 ack Albert 02:39:14 Cathy: Meta also looking at adopting SPCs. 02:39:47 Topic: Implementation updates 02:40:15 ve7jtb has joined #wpwg 02:40:46 (Irene Chang presents) 02:41:39 Irene: Developments in 2025 02:41:59 (1) Passkey synching led us to add BBKs 02:42:13 (2) Dated user experience led to improvements to UX 02:43:27 (3) Unclear unhappy path led to improvements to fallback UX 02:43:55 Irene: BBKs available on Android today, and we are actively porting to Desktop (Windows, MacOS) 02:45:10 roberto has joined #wpwg 02:45:37 I have made the request to generate https://www.w3.org/2025/11/09-wpwg-minutes.html Ian 02:46:14 Irene: we want a consistent UX across different platforms (to build user trust) 02:46:29 [Demo of BBKs on desktop] 02:47:36 q? 02:47:41 (We thank Darwin for his good work!) 02:47:58 Irene: You just heard some Visa and Mastercard reports; here's more on case studies 02:48:20 ...key takeaways: there's an opportunity to romp on why a passkey is being created with an issuer 02:48:39 ...another issue is how best to handle devices that are ineligible for PSC 02:49:01 Irene: We are looking for more input from you on features that are important to you. We've been looking at SPC on Chrome on iOS 02:49:44 smcgruer_[EST]: On the screen you can see Chrome on iOS (webkit under the hood) 02:50:06 ...wkWebView hosts the content within a Chrome shell 02:50:30 rayguo0 has joined #wpwg 02:50:55 ...you have three components in play: an app, the wkWebView library (with hooks provided by Apple), iOS level APIs 02:51:13 ..for payment request or navigator.credentials; that's built into wkWebView 02:51:19 ..but you can't do SPC or payment handlers today 02:51:24 ...but there is a solution 02:52:00 ...wkWebView are able to inject javascript into the Web content. We (Google) do this a lot today (long list of polyfill examples) 02:52:16 ...we could polypill with JavaScript Feature 02:52:38 ...to use this feature you write some JavaScript, and then you add your feature. 02:52:48 ...and magically the javascript runs in any loaded page 02:53:32 ...the way we could do this is to intercept calls to PR API for SPC (and allow the other PR API calls through) 02:54:08 ...so, should we just ship this? 02:54:18 (we do the same in Rakuten Pay, polyfilling stuff before documents are loaded and implementing everything on the native side. works very well but goodness all the plumbing required) 02:54:22 ...it turns out that there's a lot of work that we would need to do. 02:54:26 q+ 02:54:43 ...we would have to implement payment handler functionality, BBKs, UX, etc. 02:54:53 ..there are open questions, particularly around passkeys 02:55:07 ...and there are downsides to this approach....we'd rather not do script injection. 02:55:19 ...and also, other browsers on iOS would not get SPC. 02:55:41 q+ 02:55:58 gkok has joined #wpwg 02:55:59 q+ 02:56:11 Gerhard: The obvious question for me is: how many people would this implementation on iOS benefit? 02:56:18 ...what percentage would be lifted by doing this? 02:56:36 RickByers: It varies a lot by country 02:57:00 ...in June 2025, Chrome was 15% of iOS users 02:57:09 ...81% is Safari in the US 02:57:13 fahadMastercard has joined #wpwg 02:57:24 raginpirate has joined #wpwg 02:57:24 ... in Germany, 16% chrome 02:57:38 q? 02:57:41 alexs has joined #wpwg 02:57:43 ack Gerhard 02:57:44 jcayzac, 02:57:48 ack jcayzac 02:57:50 Public browser market share data from cloudflare: https://radar.cloudflare.com/reports/browser-market-share-2025-q2#id-9-market-share-by-country-and-os 02:58:10 q+ 02:58:12 smcgruer_[EST]: It's possible other chrome-based browsers would also get the feature on iOS 02:58:14 q? 02:58:41 Rick: We proposed to contribute this feature to webkit, so we are assuming we cannot land it directly. 02:58:41 ack gkok 02:59:10 gkok: Is the JavaScript approach more brittle than native implementation in webkit? 02:59:26 RickByers: No; this is a common pattern for us 02:59:45 gkok: If for some reason, SPC is invoked from within an iframe, does it work the same way? 02:59:57 smcgruer_[EST]: You have choices where you inject the script...we should be able to inject it in any frame 03:00:05 q+ 03:00:12 RickByers: We've done a lot of this on Chrome already so have experience. 03:00:23 ack Gerh 03:00:37 Gerhard: Do you think it would be easier to do payment handlers than just SPC? 03:00:43 smcgruer_[EST]: We've also thought about this for PH 03:00:56 q? 03:01:20 ack DP 03:01:39 DanP: PCI has a script preservation requirements 03:01:44 smcgruer_[EST]: Have not considered 03:02:24 smcgruer_[EST]: Some additional prospective topics: 03:02:34 - agentic powered checkouts with SPC 03:02:40 - SPC for subscriptions? 03:02:44 - passkey-less SPC? 03:02:59 q+ 03:03:38 gkok has joined #wpwg 03:03:38 Ash has joined #WPWG 03:04:16 gkok has joined #wpwg 03:05:43 shunji has joined #wpwg 03:06:21 q- 03:06:51 No, all good. Thanks! 03:08:01 Ian: Could we use the Webauthn endpoint API to talk to the RP? 03:08:11 q+ sidd 03:08:48 q+ Fahad 03:09:45 (We discuss the proposals around reducing double step-up) 03:10:04 ack Fahad 03:10:15 Fahad: There's some precedence for reaching out to the RP (e.g., FedCM does this) 03:10:36 smcgruer_[EST]: Yes, it's similar, but the call would be non-authenticated in this situation 03:11:02 Rick: FedCM does have an unauthenticated request. 03:11:20 (Privacy issues mentioned) 03:11:48 smcgruer_[EST]: As soon as I type my card number, merchant and issuer can talk to each other 03:11:57 gkok: Right, through 3DS method 03:12:02 q? 03:12:17 smcgruer_[EST]: Our preference would be to get rid of passkeys before fixing BBKs again and again 03:12:29 Ian: Would would the flow look like without passkeys? 03:12:40 smcgruer_[EST]: Let's call BBKs "payment credentials" now 03:12:50 ...imagine you have an api to register a payment credentail 03:13:07 ...the ability to create a credential would either be authenticated via a biometric or not 03:13:26 ...you create the payment credential and it's fully browser bound d 03:14:10 leecam has joined #wpwg 03:14:24 JohnB: You'd be recreating single-device passkeys 03:14:46 smcgruer_[EST]: This would be a browser-level concept not an authenticator level concept 03:14:50 q+ Lee 03:15:01 q+ 03:15:40 Ian: Would single device passkeys be same functionality? 03:15:43 q? 03:15:46 q+ 03:15:47 ack sidd 03:16:17 ve7jtb has joined #wpwg 03:16:41 sidd: How do you differentiate the agent from the actual customer? 03:17:29 JohnB: WebAuthn / passkeys require user presence. 03:17:47 ...if you make up a new credential you don't necessarily need to follow those rules 03:17:50 nick_s has joined #wpwg 03:18:18 ..it would be surprising to people there wasn't a user presence interaction over WebAuthn 03:18:37 ..if you wanted to do this with an agent that wasn't present, it would potentially be easier to do without passkey. 03:18:43 q? 03:19:03 NickSteele: Passkeys don't need to be involved in agentic discussions. 03:19:29 ...we're trying to avoid scenarios where we an agent is acting on behalf of a user with their identity; that's not a way forward. 03:19:48 ...when we are thinking about agentic payments, we are not trying to change passkeys 03:19:59 q? 03:20:05 zakim, close the queue 03:20:05 ok, Ian, the speaker queue is closed 03:20:27 q? 03:20:59 smcgruer_[EST]: There's no world in which we are proposing passkeys or SPC for the agent to authenticate themselves as the user. 03:21:19 smcgruer_[EST]: For SPC and agents, we are more thinking of this in the use cases of the user authenticating their mandate. 03:21:22 q? 03:21:24 q? 03:21:28 ack Lee 03:21:52 Lee: Regarding passkey-less. We started with this idea of using a passkey to authenticate a transaction. 03:22:13 ...but we've had to lay on "improvements" until we ended up making passkeys more suitable for payments. 03:22:27 ...it feels like we've gotten to the point where we should do something else. 03:22:44 ...I agree that we should not have gone done the passkey path 03:22:52 q? 03:23:01 q+ 03:23:02 Kavya has joined #wpwg 03:23:04 q+ 03:23:11 ..if we are going to create a new payment credential -- we should absolutely do that -- why not come up with something that works natively and in the web 03:23:20 zakim, open the queue 03:23:21 ok, Ian, the speaker queue is open 03:23:31 q? 03:23:51 q- 03:23:56 q+ NickS 03:23:59 ack Tomasz9 03:24:05 q+ 03:24:09 ack Tomasz 03:24:17 Tomasz9: I like the idea of non-passkey user verification. ... agree we should look at in more details 03:24:20 q+ ve7jtb 03:24:41 ..SPC is a two-step process...there is a two step process (sheet then passkey sheet)...we can improve the UX without passkeys (one step only) 03:24:50 q+ smcgruer_[EST] 03:25:02 ...one of our findings is that we inherit passkey artifacts such as "signing with passkey" in the dialog 03:25:12 ..the other thing I wanted to mention as far as BBK issues 03:25:14 q- 03:25:39 ...in the case where the device does not support BBK or browser doesn't 03:25:52 ...it would be good to know in advance "is bbk supported on this device?" 03:26:00 ...that could be accomplished by expanding an enumeration 03:26:02 q? 03:26:07 q- 03:26:22 q+ 03:26:29 Tomasz9: Regarding subscriptions use cases, I think more generally it's about recurring transactions; we think it's valuable to enhance the sheet for recurring payments 03:26:42 ...it's not just about the UX, it's about signing over the terms and conditions 03:26:48 q? 03:26:56 zakim, close the queue 03:26:56 ok, Ian, the speaker queue is closed 03:27:13 timcappalli has joined #wpwg 03:27:55 NickSteele: there is some other work going on with MCP...there is currently a spec enhancement proposal that will be added to MCP that will allow for an SPC flow to be triggered during an agentic flow 03:28:08 ..the assertion will be handed back to the MCP client 03:28:26 ...there's a push to use the browser to handle a payment on the desktop 03:28:40 ack ve7jtb 03:28:49 ack nickS 03:28:57 JohnB: I want to speak up in defense of passkeys kind of. There is work going on towards a relationship public key so that someone could have a trusted group of devices. 03:29:19 ...if we think that we can't take advantage of that so that someone doesn't have to do step up on each device may not be worth it. 03:29:38 ..but the advantage of passkeys is to reduce step-ups cross device...if we are moving away from that, there is little reason to use passkeys 03:29:39 q? 03:30:10 JohnB: It's ultimately a question of whether this is a stop-gap solution...en route to what we ultimately want 03:31:05 JohnB: Are we going to move in the direction of multiple passkey providers, trust between devices, multiple browser and platform architectures...if we're NOT going there then, sure it can be a thing in the browser. 03:31:27 Nick_S: On the topic of the core challenges for subscriptions...I think it's important to define what the core challenges are. 03:31:46 ...there may be different schemes depending on different payment schemes. 03:32:39 ...so where's the boundary between what is something you should standardize v. what is scheme-specific. 03:32:43 Tomasz9: See this issue 03:32:51 timcappalli has joined #wpwg 03:33:35 https://github.com/w3c/secure-payment-confirmation/issues/185 03:36:17 I have made the request to generate https://www.w3.org/2025/11/09-wpwg-minutes.html Ian 03:37:37 benoit_ has joined #wpwg 04:19:42 benoit__ has joined #wpwg 04:22:01 nick_s has joined #wpwg 04:41:34 nick_s has joined #wpwg 04:53:25 alexs has joined #wpwg 04:53:31 jcayzac has joined #wpwg 04:54:33 Topic: SPC issues and discussion 04:54:37 (Issue 310) 04:55:02 smcgruer_[EST]: Doesn't really make sense for WebAuthn to have multiple RPs 04:55:23 Jonathan: the question is that the caller doesn't know which credentials are available on the device. 04:55:31 q+ 04:55:34 Shuji has joined #WPWG 04:55:39 zakim, open the queue 04:55:39 ok, Ian, the speaker queue is open 04:55:40 zakim, open the queue 04:55:40 ok, nicktr, the speaker queue is open 04:55:47 q+ 04:55:52 JohnB: WebAuthn credential is for one and only one RP 04:56:09 q- 04:56:17 Here's the use case: https://github.com/w3c/secure-payment-confirmation/issues/310 04:56:19 lychee has joined #wpwg 04:56:35 Fahad: For a given payment method, there could be multiple RPs (bank, network, PSP, etc.) 04:57:03 ...I want to be able to pass all of them in the payment request to increase my chances of an authentication. 04:57:24 JohnB: That is possible; you'd just need to pass the RPID in with the credential ID 04:57:46 ...the authenticator only knows one RP for a given credential. 04:58:06 Tomasz has joined #wpwg 04:58:08 q? 04:58:26 JohnB: once you let other people ask for your RPID, there are potential MITM attacks. 04:58:34 q+ 04:58:36 Fahad: But I would see a UX in that situation 04:59:41 ack smcgruer_[EST] 05:00:26 q+ 05:00:39 smcgruer_[EST]: The SPC implementation can iterate over the full set of credentials; the main "risk" is that it would be yet another step away from passkeys 05:00:56 Albert has joined #wpwg 05:00:58 ...the future where more authenticators would support this gets narrower. 05:01:16 ack nick_S 05:01:21 roberto has joined #wpwg 05:01:33 nick_s: Are there any payment schemes where this situation could occur? 05:01:46 DP has joined #wpwg 05:01:54 Gerhard: There could be use cases in open banking 05:01:59 nakjo has joined #wpwg 05:02:44 nick_S: If this happens in other payment methods then makes more sense to solve. 05:02:50 timcappalli has joined #wpwg 05:02:59 NickTR: Any place where there might be a merchant-stored credential 05:03:37 Gerhard: Another use case under EIDAS where the bank can have its own credential and where the gov credential must also be accepted 05:03:40 SameerT has joined #wpwg 05:03:49 Jonathan: You can make a choice up front, but 05:04:17 Gerhard: But you could not need this if you knew there was (not) a credential before the SPC call 05:04:30 Kavya has joined #wpwg 05:04:42 taki has joined #wpwg 05:05:30 IJ: What is the mood in the room about knowing silently there are no available credentials? 05:05:40 gkok has joined #wpwg 05:06:02 q+ 05:06:15 JohnB: It's not silent; there's still a user interaction. 05:06:20 ack smcgruer_[EST] 05:06:21 q+ 05:06:49 smcgruer_[EST]: I always had the feeling that the cross that SPC can be called even though not RP would also complicate our situation. 05:07:07 ...I don't think we cannot do this 05:07:25 timcappalli: You could do immediate mediation with BBKs. 05:07:45 smcgruer_[EST]: Sniffing attack with WebAuthn...you could only get the negative, not the positive. 05:07:46 q? 05:08:31 timcappalli: There's been recent talk about a switch to turn off immediate mediation 05:08:34 ack nick_s 05:08:54 nick_s: Regarding the question of whether to silently know there are "no credentials" ... absolutely not. 05:09:09 Helen has joined #wpwg 05:09:10 ...there will have to be a user intent. 05:09:14 Rene has joined #wpwg 05:09:53 ...the PR API implementation in Safari today says "yes, something is available"; it lies to you 05:11:03 (The acknowledged difference is that with SPC, other parties can use an RP's credential) 05:11:26 Kavya has joined #wpwg 05:11:58 (The recap of immediate mediation is: silent "no" if no credentials, otherwise it triggers a user interaction) 05:12:29 [Back to topic of multiple RPs' credentials as input] 05:12:35 smcgruer_[EST]: I think we can build that into SPC. 05:13:32 hsano has joined #wpwg 05:14:30 IJ: what can we do to encourage more experimentation? 05:14:37 smcgruer_[EST]: Chromium is open source 05:14:52 ...this is about resourcing, not gatekeeping 05:14:58 ...there are many ways to contribute 05:15:38 vasilii has joined #wpwg 05:15:55 +q our perspective on this 05:15:59 q+ 05:16:00 +q 05:16:02 q+ 05:16:04 q+ 05:16:21 JohnB: What are the requirements to actually move this from a theory to something that's widely deployed 05:16:30 ...is it the number of devices that support this? 05:16:47 ...we probably need to figure out "what is on the critical path" to make this an MVP? 05:17:09 ..if it's only on some devices ... I can understand why a bank would look skeptically at this. 05:17:15 q? 05:17:49 nick_s: I hear Ian saying 2 slightly different things: (1) how to experiment with the API (2) how can you add things that can get adoption? 05:18:03 ack gk 05:18:08 q+ 05:18:13 ack nick_s 05:18:25 gkok: I don't think that "subscription" is a critical feature; the lack of additional information is not causing banks to hesitate. 05:18:34 ...I think device binding was a much more important feature 05:19:00 ack vasilii 05:19:04 ack vasilii 05:19:13 Vanitha has joined #wpwg 05:19:20 vasilii: I agree it's more about adoption than experimentation. Some features will advance adoption. 05:19:31 q? 05:19:34 ack Gerhard 05:20:03 Gerhard: The problem has been and remained lack of surety about what will happen when SPC is called. 05:20:22 ...improving 25% of the population in a given market is worth it for large issuers. 05:20:34 ...but the risk is all the challenges that were mentioned today. 05:20:49 leecam has joined #wpwg 05:20:53 ...lack of continued / predictable UX is a blocker 05:21:15 ...if you have to track a cookie in an iframe in order to try FIDO, those have been the challenges we face. They don't like OTP, but they know that it works. 05:21:28 ...I've been campaigning for a less onerous registration process. 05:21:32 q? 05:21:36 q+ 05:21:42 ack nick_s 05:22:12 Roger has joined #wpwg 05:22:19 nick_s: That's true. These are payment instruments that are operating under rules. One way of getting adoption is to for people who set rules to force adoption. (I'm not saying that should happen, only that it could happen) 05:22:32 q+ 05:22:39 ...you'll never get complete compliance, but when rules mandate compliance it can accelerate things 05:22:46 ack gkok: 05:23:11 Gerhard: Some things have been regulated. By making things more complex you can achieve higher failure rates. 05:23:36 nick_s: This isn't a problem you need to solve in the US. Nobody is going through OTP codes in the US 05:23:42 Gerhard: Yes, there are. A number of issuers are. 05:24:34 Gerhard: In the US, merchants are taking a large percentage of risk calls. Because the US is less accustomed to challenges, when challenges happen they are over OTP 05:24:49 Cip: 1.5% of transactions go through 3DS, and OTPs are over half of them. 05:25:04 Nick_s: But my point is 98% of transactions in the US are frictionless. 05:25:16 Gerhard: That's why I don't want SPC with passkeys in the US 05:25:16 q? 05:25:23 ack gkok 05:25:44 gkok: When I spoke to some of the issuers some said that their biggest problem in some cases is card provisioning in wallets 05:25:44 re previous comment: (SPC without passkeys) 05:26:09 s/I don't want SPC with passkeys/I want SPC without passkeys/ 05:26:26 nick_s: I'm not saying it's not worth it, I'm just saying adoption will be hard if it's not mandated. 05:26:47 Gerhard: Issuers are using fingerprinting to track the user, which is not good for privacy 05:26:56 ...that's how they are trying to reduce risk. 05:27:01 ..isn't that also bad? 05:27:01 roberto has joined #wpwg 05:27:09 Nick_S: But issuers don't care about that. 05:27:36 q+ 05:27:51 @@: It would not be possible to force SPC on issuers if not interoperably deployed on all browsers. 05:27:53 ack gkok 05:28:26 gkok: France in a market where they don't want exemptions. Is this a good market to test for scale? Everything is going to be challenged there. 05:28:32 ...it would be great to test out in a big market. 05:28:37 nishant has joined #Wpwg 05:28:39 ..I think that would allow us to solve for other markets 05:28:40 q? 05:28:55 q? 05:29:41 Henna: I think SPC today with BBK and the UX improvements is something we would use. 05:29:55 ...but I take the point that if not available consistently across browsers it will be more challenging 05:30:17 Padmanabhan has joined #wpwg 05:30:38 q+ 05:31:08 Keith has joined #wpwg 05:31:22 timcappalli: We need to resolve the question of BBK only or BBK with passkeys while we're at TPAC. 05:31:28 q+ 05:31:33 ....maybe you get BBKs on desktop and DPCs on mobile 05:31:48 ack timcappalli 05:32:06 Henna: I think passkeys with BBKs are fine; don't need to separate the two (at least yet) 05:32:41 ...my preferences would be keep passkeys + bbks and add enhancements. 05:32:47 timcappalli: In my opinion, passkey doesn't provide value 05:33:19 timcappalli: The BBK would be a webauthn credential with UV required. 05:33:35 hsano has joined #wpwg 05:33:41 smcgruer_[EST]: We'd have to define all the authentication type things 05:33:53 timcappalli: It would be a webauthn credential with UV enforced. 05:34:01 smcgruer_[EST]: It might work to define it that way 05:34:25 timcappalli: You get a lot of guarantees by making it a webauthn credential, just not a passkey 05:34:48 Lee: it has a different uX, has different properties, etc. 05:35:03 timcappalli: I do think that making it a profile of webauthn is much easier than making a brand new thing. 05:36:01 JohnB: Would the credential also be available through WebAuthn? 05:36:10 Albert: We will be using passkeys (for login) for payments. 05:36:30 vasilii has joined #wpwg 05:36:36 gkok: I think that was my point - the basic use cases is cards (and mostly in Europe) where they are most concerned about the binding. 05:37:17 q+ timcappalli 05:37:17 ...I think that non-card payments will require something like SPC for authentication 05:37:22 ack gkok 05:37:23 ack gkok 05:37:51 timcappalli: I think we should explicitly separate login credential from payment credential 05:38:12 ...it might be one high level name but different under the hood (e.g., BBK on desktop, DPC on mobile) 05:38:35 JohnB: I know it sounds like a nice idea to use the same credential for both, but practically right now, only a small percentage of passkey providers can do SPC. 05:38:45 ..the vast majority of passkey providers are just different providers 05:39:10 ...unless we get to the far more advanced stage of SPC cross device, 05:39:24 ...I think from a login point of view you want flexibility to work across passkey providers 05:39:49 q? 05:39:51 ack tim 05:41:15 Helen has joined #wpwg 05:41:44 Jonathon: When you are a bank, could you do one enrollment and create both a passkey and a BBK? 05:42:30 s/Jonathon/Jonathan/ 05:43:02 q? 05:43:24 Lee: I think there are good reasons to create payment credentials. 05:43:50 ...e.g., google pay gives you nice one-touch checkout 05:44:03 ...if you want to make these things successful, you want a checkout API on the way. 05:44:07 q+ 05:45:01 Lee: I'd like to see APIs for dedicated payment credentials. You can create 1-touch payment experiences with them. 05:45:09 q+ 05:46:20 q+ 05:46:34 smcgruer_[EST]: People typing credit card numbers into forms represents a lot of e-commerce 05:46:37 q+ 05:46:42 Lee: You need an incentive for adoption by merchants. 05:47:31 q- 05:48:08 q+ 05:48:31 timcappalli: If we go the BBK path, we should just go the DPC path. 05:48:49 ...your browser can store DPCs. We can just kill BBKs 05:48:55 ...you get a lot of benefits 05:49:19 q+ 05:49:37 ack timcappalli 05:49:40 ...we have to be ok with passkeys not being the best approach for high assurance banking situations 05:50:19 nick_s: I agree largely with Lee. I think one reason PR API did not get the adoption we wanted because there was prior art. 05:50:25 ...I see SPC as a stop-gap. 05:50:26 ack nick_s 05:50:37 ...I feel like we should be more forward thinking 05:51:01 JohnB: That's the point I was trying to make. SPC is a stop-gap .. should we prune it back as a stop-gap to get it deployed in some useful fashion 05:51:10 ...if we keep adding features to SPC we're not going to get it adopted 05:52:31 q+ 05:53:02 nick_s: Would we rather solve for one payment method or try to solve for more ? 05:53:19 Ian: We have statements from other payments that this would be useful 05:53:47 nick_S: the reason we are doing SPC is that there is resistance to changing checkout flows. Should we be standardizing that, or should we be standardizing for the future? 05:54:16 nick_S: I am not dissing SPC, I think we should invest in the future. 05:54:19 Henna: We are doing that. 05:54:37 ...there are many people in the room working on that concept. But it will take time that works across OS, browser, wallets 05:54:42 ..today we have SPC and it works. 05:54:49 ...I'm not disagreeing with you, but it is available now. 05:54:56 JohnB: It works in a certain context. 05:55:20 ..if we can narrow down what we are offering people as BBK / SPC.. 05:55:23 ....let's narrow to get adoption faster. 05:55:27 q+ 05:55:51 JohnB: We have a limited window for this solution. 05:56:02 @@: That is an argument for keeping it as passkeys. 05:56:14 ack DP 05:56:23 DanP: Tim's question on picking a direction is the core question. 05:56:47 ...Lee asked what merchants are interested in? merchants care about approval rates. Once we get to debit cards, we are outside EMVCo. 05:57:00 ...in the merchants with large volumes, they are thinking about uplift through SPC 05:57:24 ...7% conversation rates is very compelling and driving merchants to do pilots 05:58:14 ...the issuer wants to stay top of wallet, the merchant wants approval rates. 05:58:20 ack Gerhard 05:59:06 taki has joined #wpwg 05:59:29 DP has joined #wpwg 05:59:42 q+ 05:59:52 Gerhard: If we have a DPC, how would we track the biometric? 05:59:58 ..if it's still the person, why not have a person credential, which authenticates me? 05:59:59 q? 06:00:10 ack gkok 06:00:26 gkok: If we find use cases for non-card use cases, I think SPC can work even better. 06:00:44 ...the reality is that we still a lot of edge cases where tokens don't perform as well as they should 06:00:50 ...it's very hard to back off something like that 06:01:16 q+ later 06:01:18 ...I don't want my users to leave the browser to have to do something outside which is a less good experience. 06:01:23 q- nicktr 06:01:32 ...we'll talk about facilitated links proposal tomorrow 06:01:41 ...could we still use SPC in that context? 06:02:04 ...I don't think we should move away from what we know about 06:02:05 ack benoit 06:02:35 david: Real-time push payments is a big opportunity. 06:02:41 q? 06:02:46 ack timcappalli 06:03:06 timcappalli: There's a lot of misconception about what a webauthn credential. A webauthn credential makes not claim to represent a person. 06:03:25 ...DPCs are a fresh opportunity to say "this is a payment schema" I think it gives you want you want passkeys to be that passkeys will never be 06:03:27 q? 06:04:28 timcappalli: The thing that has changed (unlike 10 years ago) ... we have credential managers in all the devices 06:04:47 ...most users have these things and plumbing is shipping 06:05:17 nickTR: Great debate. I think good to aim high, but also important to get improvements in some markets for some people 06:05:24 leecam has joined #wpwg 06:05:28 I have made the request to generate https://www.w3.org/2025/11/09-wpwg-minutes.html Ian 06:08:37 benoit_ has joined #wpwg 06:14:18 vasilii has joined #wpwg 06:15:54 vasilii has joined #wpwg 06:17:08 vasilii has joined #wpwg 06:34:26 vasilii has joined #wpwg 06:34:54 jcayzac has joined #wpwg 06:37:40 benoit__ has joined #wpwg 06:49:24 jcayzac has joined #wpwg 06:57:39 timcappalli has joined #wpwg 06:57:53 nick_s has joined #wpwg 06:58:11 nakjo has joined #wpwg 06:58:38 DP has joined #wpwg 06:59:04 ve7jtb has joined #wpwg 07:00:22 Shuji has joined #WPWG 07:01:04 q? 07:01:07 ack nick_s 07:01:12 ack nicktr 07:02:26 (Discussion about "stop-gap" v "long term solution" for SPC) 07:02:31 q? 07:03:23 leecam has joined #wpwg 07:03:35 JohnB: E.g., can you have multiple RPs ... if we are limiting that to chrome then a pretty simple solution 07:03:47 ....if we try to solve more broadly it gets more complicated. 07:04:13 ...if we try to solve this for the much larger ecosystem, it's a much larger problem. 07:04:53 Henna: From a pure RP point of view, we'd like SPC to work. The way it works today ; we'd like some minor enhancements. 07:05:02 ....from a DPC point of view, we are also invested in that. 07:05:27 ...I see SPC as a solution we will use today 07:05:46 ... I don't think we need to re-architect the whole thing 07:06:01 ...in parallel we need to get DPCs to work. IF it works as expected, we'll use it. 07:06:03 hsano has joined #wpwg 07:06:03 q? 07:06:30 JohnB: I want to be clear. It's not the passkey or security key providers that don'to want to do SPC. We don't yet have the ability to play in that ecosystem. 07:06:37 q+ 07:06:52 JohnB: We changed the CTAP spec so that security keys could support it. 07:07:05 ...but other pieces are not in place. 07:07:21 ack nicktr 07:07:43 nickTR: I have a pragmatic view on this. Re short-term v. long-term. ... I am aware that we started SPC as a tactical 07:07:50 solution...it's basically PR API with some extra bits. 07:07:56 ...we did the tactical answer and we have some traction 07:08:31 q+ 07:08:44 ...I'm hearing that we're going to have a lot of cards and a lot of browsers, so let's do this for now. 07:08:48 ack nick_s 07:09:04 nick_s: You may have a lot of cards, but no mandate to use it. 07:09:59 nick_s: What is holding SPC back? Is it missing features? Or is it an interop issue? 07:11:20 Ian: We've heard many times that it's both features and interop. 07:12:54 q+ 07:13:20 (Discussion about adoption) 07:14:00 q+ 07:14:02 nick_s: There's no question passkeys are better than passwords. Is it as clear that SPC is a superior experience? 07:14:10 gkok has joined #wpwg 07:14:13 Sameer: I think interop across browsers would get us to the next stage of adoption. 07:14:20 q+ 07:14:26 q? 07:14:31 ack SameerT 07:15:01 Jonathan: I do understand frustration that payments are not fast to implement new things. That's because there are billions of cards, millions of merchants, etc. You can't change the ecosystem overnight. Regulations change. 07:15:20 ...e.g., in UAE OTP will be banned, in India biometrics will be allowed. 07:15:32 ...passkeys were introduced with login in mind. 07:16:03 ...in payments, the credential needs to be tied to a user (can't be synched) 07:16:21 ...every integration problem will add conversion issues and merchants will say "worse than before" 07:16:39 ...the pace can be frustrating, but we are making progress. SPC is an improvement. DPC is very promising. 07:16:39 q? 07:16:45 ack timcappalli 07:17:02 ack gkok 07:17:04 timcappalli: Regarding "why passkeys are successful": companies aligned and were not competing with an existing solut9ion. 07:17:08 ack gkok 07:17:24 gkok: It's more of a chicken and egg problem with SPC. 07:17:40 gkok: Issuers said to me that they needed device binding. 07:18:18 nick_s: I will need to defer to my colleagues who do authentication. 07:18:30 Jonathan: Do you see a difference between DPC and SPC from a UX perspective? 07:19:08 q+ 07:19:16 Nick_S: Yes. With DPC you can ask for a payment credential and also an id credential. 07:19:32 Jonathan: This aside (since you can do this outside SPC), do you see a gap in UX and security that SPC doesn't have? 07:19:57 nick_s: SPC today..you can enroll a credential that you've enrolled somewhere else. 07:20:07 ....it doesn't matter what wallet it is 07:20:19 ...I think it's a poor UX to enroll a second credential. 07:20:34 lychee has joined #wpwg 07:20:44 ...I think you'll get this through DPC. The wallet and credential managers will return the requested credentials. 07:21:24 (Some discussion of linking FIDO credential to an identity) 07:21:30 (UAF is a separate spec) 07:23:14 NIckTR: How complex to allow various SPC options: passkey only ,passkey + BBK, BBK only 07:23:29 (BBK only is "user activated experience") 07:23:47 smcgruer_[EST]: The version of this where you just click a "confirm" button is technically very simple, but there are some privacy questions. 07:24:08 ...the version where you click and get an OS biometric is more complex. 07:24:52 JohnB:Another of looking at this: if credentials are made through SPC they would have the payment flag set, and those credentials would not be offered for normal webauthn. 07:25:15 ...it would be a small change to chrome or chrome passkey providers to not provide credentials for generic webauthn. 07:26:33 Rene has joined #wpwg 07:27:22 q+ 07:27:49 ack nicktr 07:27:58 ack 07:28:02 ack nick_s 07:30:36 (Discussion of engineering effort and various solutions either using OS biometric or passkeys) 07:31:15 Sharanya has joined #wpwg 07:31:26 Apart from card networks and infrastructure / platform, issuer adoption is still influencing this. Thoughts? Can other parties being the relying party drive more adoption? 07:37:19 q+ - Future adoption 07:39:13 q+ Sharanya 07:39:50 q? 07:39:58 queue== 07:40:18 Could we perhaps enumerate the list of 'enhancements' for everyone's reference. 07:41:21 https://www.irccloud.com/pastebin/ZAd8AUKa/ 07:42:11 Sorry - unhelpful formatting 07:42:16 Agentic 07:42:16 Extending Payment Confirmation experience to include line items 07:42:16 Recurring (see issue 185) 07:42:16 This might also help as people think about SPC in light of emerging wallets and digital payment credentials (see wallet comparison)? 07:42:16 SPC without passkeys (BBKs alone) for single-factor authentication / registrationless authentication / SMS replacement 07:42:26 q? 07:43:11 nick_s has joined #wpwg 07:43:14 Should SPC be limited to passkeys with the payment bit set? 07:43:54 Topic: Topics for tomorrow 07:44:02 - are there available credentials? 07:44:08 ...could we bring something into SPC? 07:44:17 ...without complicating how webauthn works? 07:44:36 Topic: Immediate mediation and SPC 07:55:07 timcappalli has joined #wpwg 07:56:46 timcappalli has left #wpwg 07:57:46 benoit__ has joined #wpwg 07:57:54 nick_s has joined #wpwg 08:04:52 SameerT has joined #wpwg 08:12:47 nick_s has joined #wpwg 08:37:06 Padmanabhan has joined #wpwg 08:46:36 Padmanabhan has joined #wpwg 10:04:53 Zakim has left #wpwg 12:02:50 TallTed has joined #wpwg