06:38:43 RRSAgent has joined #payment-auth-issuer 06:38:48 logging to https://www.w3.org/2025/11/10-payment-auth-issuer-irc 06:38:48 RRSAgent, do not leave 06:38:48 RRSAgent, this meeting spans midnight 06:38:48 RRSAgent, make logs member 06:38:49 Meeting: Payment Authentication on the Web: an Issuer’s Perspective 06:38:49 Chair: aschGHub 06:38:49 Agenda: https://github.com/w3c/tpac2025-breakouts/issues/78 06:38:49 Zakim has joined #payment-auth-issuer 06:38:49 Zakim, clear agenda 06:38:49 Zakim, agenda+ Pick a scribe 06:38:49 Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy 06:38:49 agenda cleared 06:38:49 Zakim, agenda+ Goal of this session 06:38:49 Zakim, agenda+ Discussion 06:38:49 Zakim, agenda+ Next steps / where discussion continues 06:38:49 Zakim, agenda+ Adjourn / Use IRC command: Zakim, end meeting 06:38:50 agendum 1 added 06:38:50 agendum 2 added 06:38:50 agendum 3 added 06:38:51 agendum 4 added 06:38:51 agendum 5 added 06:38:51 agendum 6 added 06:58:24 watanabe has joined #payment-auth-issuer 08:02:21 watanabe has joined #payment-auth-issuer 08:02:38 Ian has joined #payment-auth-issuer 08:03:06 scribe: Ian 08:04:09 Albert: I will share issuer perspectives on authentication in payments. 08:06:33 rbyers has joined #payment-auth-issuer 08:07:01 Albert: challenge is to balance user experience and security. 08:07:07 Shuji has joined #payment-auth-issuer 08:07:13 ...we want to stop fraud and eliminate friction 08:07:18 ..we need a diverse toolkit 08:07:59 Our primary considerations when looking at new authentication methods and patterns: 08:08:23 Adoption...how quickly can customers learn and how simple is the experience? 08:08:49 Eligibility: This is a huge aspect when we hear about web payments. We want as few false positives as possible. 08:09:23 Fraud rate: Want phishing-resistant tool, and weaknesses of each tool 08:09:43 Omnichannel: We want things to work across devices, channels, and OSs 08:09:54 Complementary: No one tool solves everything. 08:10:02 ..how does a given tool complement others in the suite? 08:10:12 Effort: How feasible for me to build or buy? 08:11:57 Albert: Capital one offers app, card tap, OTP for authentication 08:12:46 ...we try not to pigeonhole customers to one particular method 08:13:12 Velvizhi has joined #payment-auth-issuer 08:13:27 hsano has joined #payment-auth-issuer 08:13:34 ..customers pick the most familiar often (so OTP much more popular than app which is more popular than airy) 08:14:50 ...customers prefer lower friction 08:14:57 ...fraudsters also prefer lower friction 08:15:20 Gerhard: Is there differentiation among fraud? 08:15:50 Albert: We see social engineering on all channels; that appears to be the main threat vector 08:16:00 Gerhard: How about cross device? 08:16:11 Albert: Don't know offhand. 08:16:42 Tony_Nadalin:If people have multiple devices, does that affect choice of method? 08:16:47 Albert: Yes, will say more in a moment 08:16:58 Cip: Do you always present all options to cardholders? 08:17:14 ..or for example, you might only present one approach given risk calculation? 08:17:21 Albert: We modulate tool offering by risk. 08:18:13 Albert: A lot of issuers will have problems removing OTP from the market due to broad coverage. 08:18:33 ...we will allow users to attempt one method but then try another approach if that doesn't work. 08:18:42 Gustavo: Are you using these options for login as well? 08:18:52 Albert: All these are offered outside of Web Payments 08:18:58 ...there might be slight differences between mobile and web 08:19:22 Albert: One of the biggest challenges we've seen is that iframes present issues 08:19:45 ...in order to get a customer into the mobile app or airkey experience, there are digital gymnastics 08:19:55 ...we do offer push in mobile context 08:20:06 ..for airkey it's even more challenging since CORS restricted. 08:20:20 ...so we either do SMS to airkey or the user does a manual copy or paste in a mobile context. 08:20:26 ...we are interested in SPC for this 08:20:38 ...for the AirKey experience in iOS we offer it as an app clip 08:20:51 ..for chrome / android it's done via WebNFC 08:22:45 Albert: We see drop-off between first screen and app. We are not seeing falloff once they are in the app 08:23:00 Gustavo: Are you asking backend for information? 08:23:05 Albert: We run our own ACS 08:23:17 Eiji has joined #payment-auth-issuer 08:23:19 ...once a card tap happens, we signal to the merchant and network that authentication has completed. 08:24:10 Gustavo: So if the user closes browser, you would still the server that authentication completed...but merchant might have some issues. 08:24:45 Sammer: If we can optimize the iframe experience, we think our conversion rate will go up significantly. 08:25:39 DanielWyckoff: Do you have instantaneous completion here? 08:26:06 Albert: We are very careful about how we are pushing frictionless experiences within our ecosystem because the rate at which fraud matures is very slow. 08:26:19 ...we may not get a fraud signal along those time periods. 08:26:37 ..if the user is transacting and authenticating within a time period, we might handle them in a frictionless way... 08:27:05 DanielW: Is there any state where you would open a modal and then immediately dismiss it (because recent session data is available and relevant) 08:27:12 Albert: I would say no, we are not doing that. 08:27:32 ..it creates a poor customer experience ... don't want to disrupt the payment unless we are intending to challenge. 08:28:03 RickByers; Are you asking user to copy a URL? 08:28:09 Sameer: 3DS says you can't do popups. 08:29:09 Stephen: But payment handler can open. So your payment app could be a payment handler that could do an NFC scan. 08:29:21 RickByers: Yes, could be a Web-based payment handler. 08:29:58 Albert: We believe that if we can advance our authentication tooling we can give users better options 08:30:06 [On passkeys] 08:30:28 Albert: We see passkeys as the future of payment authentication. 08:30:36 ...all the good properties that we like 08:30:45 ..no app download is needed 08:30:51 ...no cell service is needed 08:30:57 ...no channel switching (required) 08:31:26 Albert: We are planning to offer a passkey solution as an auth method to our cardholders. 08:31:40 ...we will evaluate this tool and how customers respond (eligibility rates, completion rates, etc) 08:31:52 ...we just launched passkeys for login this year 08:32:06 Tony_Nadalin: Are there any problems with registration? 08:32:24 Albert: I have not heard resistance. We're still evaluating the adoption rate. 08:32:33 Tony: Do people know what passkeys are? 08:32:51 Albert: Our enterprise is doing a lot of education. 08:33:03 Gustavo: If I'm only on the app, would I get a chance to enroll? 08:33:38 Gerhard: Do you allow registration during payment journey? 08:33:55 Albert: We won't be doing registration on the iframe. 08:34:04 Gerhard: How do you choose to do registration? 08:34:29 Albert: Initially we won't know, but we'll be looking at whether the payment credential has been enrolled with a passkey in the past. 08:34:50 Tony: Would it help if you knew in front that there was a passkey 08:34:57 Albert: Yes, absolutely. 08:35:37 (We talk about immediate mediation) 08:36:15 stephen_mcgruer: But is that really a better experience? 08:36:52 I have made the request to generate https://www.w3.org/2025/11/10-payment-auth-issuer-minutes.html Ian 08:37:57 (Some discussion about UX challenge around immediate mediation, especially when multiple family passkeys are on the device) 08:40:06 (On 3DS and setting permission policy on iframe) 08:40:36 Albert: SPC has made it possible for issuer to assert on pre-established FIDO credentials without presence 08:40:46 ...I see this as an opportunity to optimize our authentication tools. 08:41:24 Tony: Do you care about certification aspects? 08:41:45 ...do you need FIDO? 08:42:12 Stephen: Which authenticator types do you care about? E.g., roaming v. phone v. .... 08:42:27 Albert: We see the most benefits out of synched passkeys. 08:42:46 Stephen: Do you have use cases for roaming keys? 08:43:25 TimCappalli: Would you restrict a user from saving a passkey on a roaming authenticator? 08:43:30 Albert: I am neutral. 08:43:47 Albert: A lot of our web based payments will be in a mobile context. 08:44:21 Padmanabhan has joined #payment-auth-issuer 08:45:04 Gustavo: Your user today has three options. You are ok with user having only one option with SPC? 08:45:14 Albert: I'm interested in not owning the iframe. 08:45:26 ...there are advantages to not having to manage the iframe 08:45:45 ...I have no problem working with the browsers to elevate the options to give my auth tools a better chance of conversion. 08:46:01 Gustavo: I don't like iframes; they are hard to debug when problems arise. 08:46:25 Albert: The benefits of SPC are clear 08:46:44 ...the way we see it: fraud security, challenge time, future success. 08:47:03 ...can this be extended to other authentication tools (e.g., card tap, payment linking, roaming authenticators)? 08:47:47 ...can we extend SPC beyond passkeys? 08:48:05 ...it would be good to meet issuers where they are. 08:48:42 Gerhard: It would also be good to be able to get from merchant site to capital one app and then get back. 08:48:52 Albert: Maybe not even directly in channel, but halfway there. 08:49:03 ...so cf the facilitated payment link proposal, or payment handlers 08:49:32 Gerhard: Some of this is available already. In 3DS 2.3.1 there's an option to link to the app and get back to the shopping context. 08:49:40 Albert: is that in web or native app? 08:50:03 Gerhard: I think from web to app and back 08:50:23 Lee: DPC is the more general solution. 08:50:28 ...all inline without redirects. 08:50:32 ...works for both native and web 08:51:07 +q Sharanya 08:51:12 Gustavo: How much remains in the control of the issuer in that case? 08:51:22 Lee: You'd make the DPC call wherever you would make the SPC call. 08:51:51 ack Sharanya 08:52:18 Sharanya: What are the two factors that you are using? 08:52:34 Albert: We are in an unregulated market, so we don't need to satisfy SCA. 08:53:48 (Albert shows mockup of SPC used with WebNFC) 08:54:02 Albert: Some issuers may hesitate to use SPC so you need to lead them into it. 08:54:13 ...this group can help bring issuers along 08:54:20 ...I'd love to see: 08:54:41 * Blend my other auth tools with SPC. A lot of my issues could be resolved with help from browser 08:54:55 Gerhard: Would you still need an OTP fallback? 08:55:04 Albert: Yes, but we'd like to get rid of it 08:55:55 TimCappalli: Do you want to get rid of OTP complete? What about Android phone number verification? 08:56:23 Nick_S: If you had the customer's phone number in your system, and it was cryptographically verified, would that be more useful? 08:56:49 Gustavo: With the phone number verification you get more guarantees. 08:57:01 DavidBenoit: But that doesn't prevent against SIM cloning 08:57:20 Gustavo: But I am hearing the issue is more about phishing rather than SIM swap 08:58:21 (Discussion of SPC with other authentication tools) 08:58:54 (WebNFC, OOB app) 08:59:43 Albert: We are strategically building toward SPC. 08:59:51 ...we plan to launch webauthn in early 2026 09:00:01 and we'll evaluate SPC later in 2026 09:00:23 ...I would encourage the group to think about meeting issuers where they are at 09:00:31 and advancing browser capabilities to bring issuers along 09:00:39 ...and allowing issuer to authenticate their own customers. 09:01:06 RRSAGENT, make minutes 09:01:07 I have made the request to generate https://www.w3.org/2025/11/10-payment-auth-issuer-minutes.html Ian 12:37:40 rrsagent, bye 12:37:40 I see no action items