SPC is a First Public WD

My congratulations to the Web Payments Working Group for the publication today of Secure Payment Confirmation (SPC) as a First Public Working Draft. The specification is taking shape in part thanks to experimentation by Adyen and Airbnb, the results of which I anticipate we will hear about at our October TPAC meeting if not sooner. We also look forward to a second experiment from Stripe, whose first experiment led to a number of changes in the Chrome implementation. Our colleagues at EMVCo have shared publicly that they anticipate integration of SPC into EMV® 3-D Secure version 2.3, and I look forward to seeing that specification soon. We also continue to pursue our conversations about integration into other underlying protocols, such as EMV® Secure Remote Commerce and Open Banking.

In other Working Group news:

* We have stopped work on the Basic Card specification. Some participants have expressed interest in exploring a replacement, so we will begin use case discussions this week.
* We have started group review of a draft charter; our current charter expires at the end of 2021.
* We are building our agenda for the October TPAC meeting.

I look forward to a busy next few months.

Updates on Payment Request V1 and SPC

I want to share two updates from the Web Payments Working Group.

The first is that we are preparing a slimmed down version of Payment Request API version 1 to advance to Recommendation by early August. Privacy and internationalization reviews led us to look closely at features related to requests for shipping/billing addresses and contact information. To satisfy some of those concerns and because the features are not widely used in the wild, our plan is to remove them. Doing so should also make it easier for browser vendors to maintain their implementations of the API, and for the Working Group to add new features. Once we’ve adopted these changes (following a Call for Consensus to the Working Group), we will return to Candidate Recommendation for a brief period, then proceed mid-July to Proposed Recommendation.

The second topic is Secure Payment Confirmation (SPC). (For an introduction, see the previous blog post on SPC and the Stripe Experiment.) The Web Payments Working Group held a 4-day remote meeting in early April to discuss SPC, including:

To focus our SPC deliberations, a few weeks ago we created an SPC task force within the Web Payments Working Group. One of the first goals was to craft a clear answer to the question “What is SPC?” Here is our current draft (subject to change; feedback welcome):

Secure Payment Confirmation is a Web API to support streamlined authentication during a payment transaction. It is designed to scale authentication across merchants, to be used within a wide range of authentication protocols, and to produce cryptographic evidence that the user has confirmed transaction details.

The task force has also taken a stab at answering the question “What is unique about SPC?” and capturing some consumer-to-business user stories. After our work on SPC scope we will progress to gathering requirements and prioritizing feature requests.

In parallel, the Chrome team has launched a second origin trial for SPC and updated developer documentation for those who wish to experiment.

Our work on use cases and requirements, as well as feedback from the growing number of pilots (Stripe version 2, Airbnb + Adyen) will inform the shape and initial capabilities of the API.

Now is a great time to experiment; please contact me or the Chrome Team for more information about participating in the second origin trial.

Secure Payment Confirmation, Stripe Experiment, and Next Steps

Mockup of transaction dialog for SPC

On 18 March Stripe presented the results of their 3-month experiment with Secure Payment Confirmation (SPC) to the Web Payments Working Group (minutes). The results were quite exciting: conversions went up by 8% and authentication sped up considerably. I share details below and you can find more in the Stripe presentation.

The vision for SPC is to streamline strong customer authentication (SCA) during a Web payment. This will improve Web commerce experiences, enhance security, and help the payments industry fulfill regulatory requirements (e.g., PSD2 in Europe). SPC does not yet exist as an API or a well-defined set of browser behaviors. The Stripe experiment tested some hypotheses for what SPC could become. Google engineers made the experiment possible through modifications to implementations of Web Authentication and Payment Request API in Chrome on MacOS. The Web Payments Working Group is about to embark on a more systematic elaboration of SPC’s features and scope.

The Stripe experiment sought to understand if users prefer strong authentication through one-time passwords or FIDO authentication. Why FIDO? The combination of CTAP from the FIDO Alliance and Web Authentication from W3C —commonly referred to as FIDO2— is an ideal backbone for an SCA solution. It is supported on all major browsers (desktop and mobile). Billions of deployed phones and laptops include built-in authenticators. FIDO2 provides better security and usability than passwords and explicitly seeks to meet regulatory requirements (see the FIDO white paper on meeting PSD2 SCA requirements).

For simplicity, the SPC experiment focused on card payments where the initial enrollment was performed with EMV® 3-D Secure (“3DS”). As I mentioned in a previous blog post, EMVCo, FIDO, and W3C are discussing multiple ways of using FIDO with 3DS. The experiment focused on using FIDO during the 3DS challenge flow. This proved a very informative starting point, but part of our ongoing work will be to ensure that SPC can be used in a broad range of payment flows and systems.

To understand the motivation for SPC, it is useful to consider how 3DS works on the Web today. My explanation is a simplified version.

  • An important design goal 3DS is to enable the bank that issues a credit card to determine whether the person planning to use the card for an ecommerce payment is authorized to do. However, when a user is shopping, the user is interacting with a merchant, not their bank.
  • One way to “get the user to the bank” is through an HTTP redirect to the bank’s Web site (in a first party context) for authentication. People tend to not like this solution for a variety of usability reasons. Merchants do not like directing their customers away from their site.
  • Another solution is to include code from the issuing bank in the merchant site (in a third party context). Payment services providers (to merchants) typically take this approach using iframes, but without Web Authentication.

Let’s examine why. In Web Authentication Level 1:

  • A relying party must register an authenticator in a first party context.
  • The relying party is the only party that can authenticate the user.
  • The relying party can only do so in a first party context.

In other words, with Web Authentication Level 1, the issuing bank (assuming it operates in a different origin than the merchant) could not use Web Authentication to authenticate the user within the merchant page (in a third party context).

To overcome this limitation, the Web Payments Working Group asked the Web Authentication Working Group for an enhancement. As a result, in Web Authentication Level 2:

  • A relying party must register an authenticator in a first party context.
  • The relying party is the only party that can authenticate the user.
  • The relying party can do so in either a first or third party context.

Now the issuing bank can authenticate the user with Web Authentication from within a merchant page. That’s already a big win. But Stripe sought further improvements. They pointed out that embedding code from an issuing bank in a page involves more network calls and could create security policy issues. Instead, they wanted to be able to trigger Web Authentication themselves, collect the resulting assertion, and pass that on to the issuing bank through back channels. The issuing bank would still validate the assertion as the relying party.

This is how the first “superpower” of SPC came about. With SPC:

  • A relying party must register an authenticator in a first party context.
  • Any party can authenticate the user.
  • Any party can do so in either a first or third party context.

This is an important departure from Web Authentication behavior and so it is only available “in a payments context.” The current (experimental) definition of “in a payments context” is “during Payment Request API.”

SPC, in its pilot manifestation, thus marries Payment Request API and Web Authentication. The idea is that developers will have more superpowers via SPC than when the APIs are used independently.

The second superpower of SPC is the browser’s “transaction confirmation dialog.” The goal is to have a built-in browser capability to create a consistent authentication experience across Web sites and platforms.

This is another departure from Web Authentication. Web Authentication is performed within a window opened by some origin. Stripe asked the Chrome team if the browser could manage the window instead of Stripe having to open one. The result is a built-in browser dialog, shown in the mockup included above. SPC delegates the authentication UX to the browser. Here’s how SPC worked during the experiment, leading up to the transaction confirmation dialog:

  • During an enrollment (which I won’t describe in detail here), the user registers an authenticator with the issuing bank in a first party context. The issuing bank associates the user’s card with that FIDO credential.
  • During a transaction, on any merchant site, the user selects the same card to make a payment. Stripe (or any PSP) reaches out to the issuing bank (via a modified 3DS protocol) and asks: Do you have any FIDO credentials associated with this card? The issuing bank returns the shareable parts of any credentials it has stored, along with a random number (which will be used during authentication). Stripe calls SPC, and the browser opens the transaction confirmation dialog, asking the user: “Do you want to authenticate to pay N dollars to the following merchant using this card?” If the user proceeds, the platform (in this case MacOS) prompts the user to authenticate (in the experiment, using TouchID).

Stripe also wanted to leverage SPC to fulfill another PSD2 requirement: “dynamic linking.” The requirement involves cryptographic evidence that the user agreed to the transaction amount and beneficiary. The browser’s new transaction confirmation dialog displays the information required by PSD2, and when the user proceeds, the FIDO authenticator is used to sign the amount, beneficiary, and card information. Thus, the third superpower of SPC is built-in support for signed transaction confirmation data.

To summarize, the initial experiment with SPC involved these three new browser capabilities:

  • Relaxation of the constraint on who can authenticate the user for a given FIDO credential during Payment Request API
  • Transaction confirmation dialog built into the browser
  • Signed transaction data

We have started work to elaborate a list of SPC benefits that emerge from these three capabilities. I imagine these initial three capabilities will remain part of the SPC vision, but people are already curious whether we can add more, such as standardized enrollment flows, zero-friction flows, sources of randomness as input to FIDO authentication, and the ability to invoke SPC within a Payment App. We will discuss potential SPC features at the remote meeting of the Web Payments Working Group next week.

Back to the experiment. How did SPC compare to one-time passwords? Stripe shared with us that with SPC:

  • Conversions (completed transactions) increased 8%.
  • Users authenticated in less than 1/3 of the time.
  • There was negligible fraud.

I expect the Working Group will want to take up SPC as a formal work item, which means we’ll have a lot to do:

  • More experimentation (including with banks)
  • Initial work on a specification.
  • Expansion of implementation by Google to other platforms.
  • Engagement with more browser vendors.
  • Discussion of requirements from a variety of payment systems and flows (e.g., EMV® Secure Remote Commerce (“SRC”), Real-Time Payments from The Clearing House, Open Banking in Europe, etc.)
  • Coordination with the Web Authentication Working Group and the FIDO Alliance to make sure that SPC aligns with that work.
  • Coordination with the EMVCo 3DS Working Group for any enhancements to 3DS or SRC to support SPC.
  • Understanding how SPC relates to other authentication delegation use cases; see for instance the new white paper FIDO for SCA Delegation to Merchants or Wallet Providers. The Web Payment Security Interest Group provides EMVCo, FIDO, and W3C the forum for discussing these use cases and how to make sure the various technologies can interoperate flexibly.

I want to thank all the people who have contributed to discussions, coding, and experimentation so far, especially colleagues at Stripe, Google, and Coil.

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

An EMV® 3-D Secure view of EMVCo, FIDO, and W3C activities

In September 2020 the Web Payment Security Interest Group published “How EMVCo, FIDO, and W3C Technologies Relate” to describe the relationship between technologies such as EMV® 3-D Secure (hereafter “3DS”), Payment Request API, and FIDO / Web Authentication. In this post I describe some of the current thinking about how to use those technologies together to improve the user experience and security of Web payments.

3DS Background

3DS seeks to reduce remote commerce fraud by authenticating the cardholder. Merchants that leverage 3DS may be eligible to receive a “liability shift” benefit. Because 3DS makes it possible for issuing banks to perform multifactor authentication, it can also be used to satisfy the Strong Customer Authentication (SCA) requirements of the European regulation Payment Services Directive (PSD2).

The industry has devoted a lot of energy to reducing friction during cardholder authentication. To that end, 3DS defines two flows. The “frictionless” flow involves risk assessment by the issuing bank (or its Access Control Server partner) without requiring a user gesture. On the Web, this is generally accomplished by collecting device information (via JavaScript) during checkout and looking for stability in the device information across transactions. According to my colleagues, this first flow suffices for a large majority of cases, and is thus a valuable tool in fraud reduction. However, in some cases (e.g., high value transactions, changes to the device information, compliance with local regulations such as PSD2, etc.) the issuing bank may seek additional data through the second flow, called the “challenge” flow. The bank may use a variety of authentication methods during this flow. For example, the bank can display a form during checkout where the user enters a one-time password they receive on their mobile phone. In Europe, as of 1 January 2021, the one-time password approach cannot be used as a knowledge factor under the strong customer authentication requirement of PSD2.

In both situations, after the flows complete successfully, the bank returns an “authenticationValue” (AV) to the merchant as confirmation that the bank has authenticated the cardholder.

In addition to this sort of regulatory requirement, two changes to the Web ecosystem have motivated members of EMVCo, FIDO Alliance, and W3C to explore new ways to reduce user friction during 3DS:

  • Web Authentication is now ubiquitously supported in all major browsers and billions of devices now offer FIDO-compliant authenticators.
  • Browser vendors are changing browser behavior to foster greater user privacy, and this will have an impact on the traditional device information techniques of the 3DS frictionless flow.

Below is my summary of approaches we are discussing to enhance 3DS flows with FIDO authentication and Payment Request API.

Protocol Observations

These observations drive some of our design choices and constraints:

  • In situations where the issuing bank authenticates the cardholder through 3DS, the issuing bank by default will be the Relying Party. However, the issuing bank may delegate that role to other parties, as we discuss in one scenario below. (We do not discuss here all possible delegation scenarios.)
  • FIDO authentication depends on randomized challenges to avoid replay attacks. These challenges are generated by Relying Parties, in our case the issuing bank.

FIDO in the Frictionless Flow

One way to reduce authentication friction during checkout is to try to make use of previous authentications.

Suppose a merchant site supports login through Web Authentication rather than username/password. If the user logs in and begins to shop, is there a way to reuse the FIDO authentication during a 3DS checkout?

If the merchant is the Relying Party, the merchant provides the randomized bits used in the Web Authentication challenge. This means that even if the merchant passes the resulting assertion to the issuing bank, the bank may not have the same level of cryptographic confidence. (The bank and merchant might have an out-of-band agreement, but that would be beyond the scope of the standard and not scale easily.)

However, there are other ways to take advantage of prior authentication to a merchant within the 3DS frictionless flow. In essence, the merchant can send some FIDO information to the issuing bank (e.g., credential id, authentication date), and the bank risk engine can review it for consistency across transactions. A FIDO Technical Note and related EMVCo white paper describe in detail what FIDO-related data to provide on the 3DS rails.

FIDO in the Challenge Flow

To leverage Web Authentication during the challenge flow, the Relying Party —the issuing bank— would ordinarily need to be the origin that (1) challenges the user and (2) validates the resulting assertion. Traditionally this has meant redirecting the user to a first-party context (the issuing bank origin), which is not a great user experience. Web Authentication Level 2 provides a new capability: the Relying Party can challenge the user from a third-party context in an iframe. However, this requires embedding code from issuing bank origins, and some payment service providers have indicated that this is suboptimal since not all issuing banks are known in advance to those payment service providers.

Colleagues from Stripe, Google, and Coil have proposed a new way to streamline authentication during a payment: if the browser is confident that the user has knowingly embarked on a transaction, the browser can relax a Web Authentication constraint and allow a third party to challenge the user. The bank would still need to validate the resulting assertion in a 3DS context, but origins other than the Relying Party could challenge the user as long as the user is in a “payments context.”

How does the browser recognize that the user is in a “payments context?” One answer is: if the user is engaged in a Payment Request API user experience. In other words: browsers have implemented Payment Request API to make clear to users “you are starting a transaction” and to protect users by requiring gestures, etc.

This proposal to couple Payment Request and Web Authentication is called Secure Payment Confirmation (SPC). SPC gives special powers to developers they would not have using Web Authentication “out of the box” in a non-payment context. In addition to enabling very low friction checkout with strong authentication, SPC will enhance payment security by including reliable transaction data in the authentication results; more on this below.

Here’s how we imagine it will work:

  • Enrollment. During a transaction or at some other time, the user enrolls their authenticator with the Relying Party. The browser augments the usual authentication credential with extra displayable payment instrument information. Specifically: a short string (e.g., a masked account number) and an icon (e.g., of a credit card company or bank).
  • Transaction. The party using SPC provides the browser with one or more Web Authentication credential ids and says “Please authenticate the user with any of the corresponding authenticators (e.g., first match wins). The browser then asks the user if they want to authenticate to pay using the corresponding authenticator.

Starting in December 2020, Stripe began an experiment with SPC in a Chrome origin trial (limited to MacOS). We would like to know whether users prefer a “light” challenge using biometric authentication in a window presented by the browser, or the traditional 3DS challenges presented by the issuing bank (traditionally based on one-time codes). If users like the experience —and if conversions go up and fraud goes down— this will bolster the case for using SPC as a way to satisfy PSD2 SCA requirements. We will also want to compare the SPC experience (and outcomes) to out-of-band authentication via a native app.

Where does the calling origin get the credential ids? We expect different approaches in different payment methods. For the 3DS case, here is the expectation:

  • The user will select a card for payment (e.g., by completing a form on the merchant site, or by selecting a previously used card).
  • The merchant (or payment service provider) will initiate a 3DS transaction and ask the issuing bank “Do you have any credential ids associated with this card?”
  • The issuing bank will return a list that is then used as input to SPC.

EMVCo is helping to explore how best to integrate SPC with their 3DS protocol.

One more note: PSD2 also includes some requirements related to “dynamic linking“: evidence that the user was made aware of and agreed to the payment instrument, amount, and beneficiary of a transaction. We think that SPC will be able to help with compliance. The browser has this information when Payment Request and Web Authentication are used together in SPC. Chrome’s new UI displays the information to the user, signs it using the authenticator, and returns it so that the Relying Party can verify cryptographically what the browser displayed to the user.

To recap: EMVCo, FIDO, and W3C are working together on ways to use FIDO authentication and Payment Request API in both 3DS frictionless and challenge flows. We intend for SPC to be useful in the fulfillment of PSD2’s SCA and dynamic linking requirements.

After Stripe publishes its results, I hope and expect that the Web Payments Working Group will devote a lot of its time in 2021 to SPC. To ensure it can be used with a variety of payment methods, we would reach out to our open banking colleagues, to participants from NACHA and TCH, to our colleagues working on EMV® Secure Remote Commerce (SRC), and others to ensure that the design supports a variety of use cases.

Acknowledgments

Thanks to Benjamin Tidor, Danyao Wang, Adrian Hope-Bailie, Rouslan Solomakhin, and others working on SPC. Thanks to Jonathan Grossar, Benjamin Tidor, Sameer Tare, Christian Aabye, Doug Fisher, and Richard Ledain for input on this post.

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

Recap of October 2020 Extended Meeting

The agenda of the recent Web Payments Working Group meeting (19-22 October) spanned three broad topics:

  • Payment Request API, today and tomorrow
  • Streamlining authentication in payments flows
  • QR codes and more payment methods

Meeting minutes are linked from the agenda; below is my summary.

Payment Request API, today and tomorrow

We first discussed a plan to finalize Payment Request 1.0: it has shipped in Chromium and Webkit browsers for several years; can be used with Apple Pay, Google Pay, Samsung Pay; and is supported in several merchant libraries (e.g., Stripe and Braintree). After the meeting (and a Call for Consensus) the Chairs announced the decision to proceed toward Recommendation. Version 1.0 provided us with a lot of insights and now we can build on that experience.

Streamlining authentication in payments flows

We then discussed “next version” Web payment capabilities, some of which are already in development. In particular, we saw demos of Secure Payment Confirmation (SPC), designed to streamline strong authentication during checkout by marrying Payment Request and Web Authentication. Here’s how it works: Web sites call SPC with Web Authentication credentials as input. If the browser is able to authenticate the user using any of the (previously enrolled) credentials, it will prompt the user and return the resulting assertion to the site. In addition, SPC is designed to support “transaction confirmation” use cases, such as those described in European regulation (PSD2’s “dynamic linking”). SPC features a clear and secure display of key transaction details, reduces the total number of user gestures to authenticate, and eliminates the need for the site to open its own window for Web Authentication. Stripe showed a demo that leverages the preliminary implementation of SPC in Chrome 86. The demo is part of a pilot program that Stripe is running to test the hypothesis that users will prefer a low-friction authentication experience using Web Authentication (as part of an EMV® 3-D Secure step-up) to a typical one-time password experience. We look forward to hearing results from the pilot by early 2021.

We then heard from Visa and Mastercard about how SPC could enhance the user experience of EMV® Secure Remote Commerce (SRC) flows. (I apologize for the similarity between “SRC” and “SPC”!). Visa presented slides that show an SRC checkout demo including SPC leveraged by the merchant’s payment service provider. Mastercard shared mockups of an SRC checkout where a Web-based payment app uses SPC to streamline authentication.

My colleague from Mastercard referred to these approaches respectively as “the left side” (code running in the merchant site) and “the right side” (payment app code running on the user’s device). I appreciated that imagery, which I have similarly expressed in a Payment Request ecosystem diagram (shown in this post) where the merchant site (calling Payment Request) is on the left, the browser is in the center, and payment apps (native or Web-based) are on the right.

Block diagram of payment request components, with the merchant site on the left, the browser in the center, and payment apps on the right

We thus heard calls for SPC to be available for both left side and right side solutions. We have heard similar requests related to another user experience enhancement: “in-context display”. Today the Chrome implementation of the Payment Handler API includes a “modal window” in which payment app code runs. Chrome displays the origin of the code running in the window at the top, a security benefit. There is general agreement that this modal window, which appears above the underlying merchant context, provides a better user experience than a redirect. In-context display is thus available today on the right side, but not yet on the left. I anticipate we will turn our attention increasingly in 2021 to left side use cases as we continue to revisit Web payments architecture.

To round out our authentication discussion, the co-Chairs of the Web Authentication Working Group gave us an update on the progress of Web Authentication Level 2.

QR codes and more payment methods

We also discussed the following payment methods and use cases, looking for connections to Payment Request, SPC, and our architectural considerations:

  • QR codes: QR codes are very popular in some parts of the world, and have gained more attention during the COVID-19 pandemic as a way to communicate at a distance. We heard first from EMVCo, who is developing some new standards in this space. We also heard from two entities that are making use of that work: China Union Pay, and the European Payments Council on Mobile Initiated SEPA Credit Transfers. Our colleagues from Entersekt also shared perspectives on QR codes and Web payments, and these may help us structure our conversations moving forward.
  • Open banking: Colleagues from STET and the Berlin Group provided updates on the adoption of their open banking APIs, some challenges they are facing, and some new programs they expect to appear in 2021.
  • Web Monetization: Coil (one of the TPAC sponsors, thank you!) shared updates about Web Monetization deployments and a current strong interest in using it for use cases such as tipping and donations. We also learned more about the Grant for the Web, a Coil-led project to boost innovation around Web monetization.
  • Real-time Payments (RTP) and bill pay: The Clearing House described advances in the Real-Time Payments (RTP) protocol as well as a bill pay use case where the Payment Request architecture could be a good fit for enabling streamlined checkout using the “request for payment” functionality developed alongside RTP. We also connected this discussion to our QR codes and authentication discussions.

Closing thoughts

Although I longed to see colleagues in Vancouver, I found this meeting invigorating and productive (as I found our April 2020 meeting). There is a lot of experimentation happening right now, and I look forward to hearing the results in early 2021, and of course sharing them in this forum.
Thanks to the Web Payments Working Group participants for all they do!

A few days ago we launched a new Merchant Business Group focused on non-technical discussion and advocacy. The group held its first meeting in late October and I hope that soon we’ll connect some of their use cases and requirements to the Web Payments Working Group agenda. Contact Nick Telford-Reed or me if you have any questions.

Preparing to Advance Payment Request API 1.0 to Recommendation

Today we kicked off the process that, ideally, will result in the publication of Payment Request API 1.0 as a W3C Recommendation in Q1 2021.

The Web Payments Working Group and other W3C groups now have an opportunity to respond to a Call for Consensus to publish Payment Request API as a revised Candidate Recommendation. W3C Process requires us to return to “CR” because we removed a small number of features for which we don’t have interoperable implementations.

At the Working Group’s meeting 19-22 October we will discuss the plan to “get to Recommendation.” We will also discuss the evolution the API thereafter, grounded in our discussions with the payments industry.

Don’t hesitate to contact me if you have any questions!

Web Payment WG Agenda, October 2020 Edition

Next week the Web Payments Working Group holds an 8-hour virtual meeting over four days. Our agenda includes:

  • Review of the status of Payment Request API as it is deployed;
  • Discussion of use cases and requirements for a variety of payment methods and flows, including EMV® Secure Remote Commerce, open banking APIs, RTP® (Real-time Payments), Web monetization, use cases for which QR codes are deemed useful, and other non-card payment systems.
  • New APIs and design ideas, including updates on Secure Payment Confirmation (SPC), which couples Web Authentication with Payment Request API to streamline strong customer authentication during checkout.

This meeting is part of TPAC 2020, W3C’s annual big meeting.

I look forward to reconnecting with colleagues, even if we are only able to meet virtually this year.

Code-a-Thon Recap

In late May, about 25 people participated in the first code-a-thon (minutes) of the Web Payments Working Group. We organized three, 2-hour videoconferences, separated by 22-hour blocks of time for independent collaboration and coding. We learned a lot and saw some great demos!

Projects

On the first day participants introduced seven topics. Four of those ended up gaining traction, and we reviewed their progress on the second and third days. I summarize them here.

Payment App with Web Authentication / FIDO Provisioning

Entersekt provisioning demo with consent screen

Before the code-a-thon, our colleagues from Entersekt had developed a proof of concept for Web-based payment app that supports Web Authentication. In this demo, the user has a payment app from their bank, and the bank authenticates the user as part of risk assessment. Entersekt showed us a video with the following two flows:

  • Enrollment: While interacting with their bank, the user installs a Web-based payment app. The payment app prompts the user to enroll a FIDO authenticator. In the video the user enrolls via the phone’s fingerprint reader.
  • Transaction: During a subsequent transaction, the user chooses to pay from the same payment app. The user selects the card to pay with, re-authenticates with a fingerprint scan, enters a PIN, and (after some risk assessment process) the bank returns a proof of payment to the merchant who submits it to complete the transaction.

Within the Web Payments Working Group we have been discussing a vision where payment apps are “first-class objects” in the browser, easily registered and managed via browser settings. We face an important question: “Will users want to register payment apps explicitly or will that create too much friction?” It has been argued that users are familiar with the ceremony of downloading and installing apps from an app store. If we adopt a similar approach for payment app registration, this might help increase the user’s understanding of which powers to grant to the payment app.

With that discussion as a back drop, Entersekt worked with the Chrome team to mock up a registration ceremony for their payment app. On the final day of the event they presented a video of a payment app registration mockup. This video only shows the payment app registration and provisioning; the checkout portion of the user experience would be the same as the first video.

This demo is likely to help us advance the conversation about payment app lifecycle and the relationship of explicit registration to trust, privacy, and security.

QR Codes for Multi-Device Checkout

Entersekt QR demo showing a desktop checkout, QR code scanned by phone, and authentication via that phone.

For several years, people have pondered how QR codes might be used as part of Payment Request flows. We saw our first proof of concept during the code-a-thon. Entersekt brought a second demo to the meeting with the following flow:

  • The user is shopping in a desktop browser and, at checkout, opts to pay via their phone, leveraging a QR code for communication.
  • On the fly, the browser installs a Web-based payment app from the user’s bank
  • That payment app computes and displays a QR code that represents some information about the transaction, including the amount and merchant identity.
  • The user opens a payment app from the same bank that runs on their phone. That payment app scans the QR code and prompts the user to confirm the transaction.
  • The bank server updates the payment app on the desktop to indicate that the transaction has been successful, and the merchant receives a proof of payment.

On the last day, Entersekt shared a QR payment video to illustrate the flow, including new consent mockups that they developed with Chrome.

Authenticate to Pay (Minimal UI)

Worldline demo using minimal UI - authenticate-to-pay

Last year, the Chrome Team and Coil to explore an “authenticate-to-pay” feature in payment apps that reduces the total number of user gestures to complete a transaction while simultaneously incorporating multi-factor authentication. Worldline colleagues expressed an interest in enhancing one of their existing Payment Request demos with this authentication UX. Working closely with the Chrome team, they made progress on their demo over the two days. The Worldline demo was shared a few days after the code-a-thon. Worldline indicated that they would like next to enhance the demo to satisfy PSD2 requirements, e.g., with an issing bank as the relying party.

The animation below also show the “authenticate-to-pay” user experience. At this time it is only experimental, it only runs on Android, and it does not yet leverage Web Authentication. But I think there is sufficient interest that the Web Payments Working Group will continue to develop the idea.

Authenticate to pay experience on a mobile device. The user pushes the Pay button, then uses the phone authenticator to complete the transaction for a certain amount, from a certain account, to a certain beneficiary.

Here’s what’s going on in the animation: in general payment apps can open windows for user interaction. However, in the authenticate-to-pay user experience, the payment app tells the browser: “if you launch me, I won’t open a window. Instead, please display the amount, beneficiary, and source of funds to the user and prompt them to authenticate using these credentials.” The browser, not the payment app, opens a small window for authentication. The browser then launches the payment app with the results of the authentication. The payment app does not open a window, but does evaluate the authentication results fed to it by the browser as part of completing the transaction. Because the browser opens a small window, this user experience has been nicknamed “minimal UI.”

Mobile Money on the Web

In the past we have had discussions with the GSMA about connecting operator-run mobile money systems to Web payments. The code-a-thon offered us a chance to catch up with GSMA colleagues. Opportunities to bring mobile money to the Web may be growing as smart phones are becoming more common in regions where mobile money is a widely-used payment method.

Although no code emerged from the discussion, Adrian Hope-Bailie did start work on a document for ongoing discussion: Mobile Money and Web Payments. It is possible that we may see more experimentation around mobile money and Web payments through the Mojaloop Project.

Undeveloped Ideas

Although people also expressed interest on day one in the last three topics, they did not lead to further discussion:

  • I pitched the idea of demonstrating a comprehensive authentication “cascade” that would provide the “best experience” if supported in the user’s environment, or fall back to a variety of alternatives.
  • We also discussed two points raised by Airbnb during TPAC 2019: integration of “card-on-file” payments into the Payment Request ecosystem, and leveraging responses to Payment Request for account creation.

On Planning a Code-a-Thon

I think that the success of the event hinged largely on preparation by the participants. Entersekt, Worldline, Coil, and Google had all prepared code or documentation. As always, demos focused our attention, raised compelling questions, and drove discussion. I want to thank all the people who brought code to the event.

The Chrome team helped people prepare by creating a starter kit for people who want to experiment with the Payment Request and Payment Handler APIs. I encourage you to try it out, share your project, and provide feedback on the starter kit.

Some additional notes:

  • Time zones created the usual issues for global participation.
  • Some participants indicated a tension between participating in the code-a-thon and doing their day job. One suggestion was to stretch out the virtual code-a-thon over an entire week, to allow people to squeeze in more coding and discussion time. I could imagine a schedule where we meet for 2 hours on Monday, 1 hour on Wednesday, and 2 hours on Friday.
  • We relied on IRC channels for chatting over multiple days. We did not do enough to ensure that people would have access to discussion even when they disconnected from IRC. We will definitely need to fix that for a future event (by using a proxy, or Slack, or some other solution).

Thanks to all the participants! I look forward to seeing more proofs of concept soon.

The Evolution of Payment Apps (I of II)

Following TPAC 2019 discussions last October I summarized how the Web Payments Working Group’s vision of Payment Request had been evolving based on experimentation, implementation feedback, and discussion.

Now it is time to share a new vision for payment apps, one driven by a host of changes on the Web, including our experience with Web payments APIs. These changes give us an opportunity to provide superior checkout experiences through payment apps compared to other Web technology.

Before we get started, here’s a quick reminder of some terms:

  • In the Payment Request architecture, the user interacts with a payment app to respond to the merchant’s request for data.
  • Payment apps today come in three flavors: built into the browser, native mobile, and Web-based. We call the latter two “third-party payment apps.”
  • The Working Group is defining the Payment Handler API as a standard way for Web-based payment apps to register and interact with browsers. Thus, a payment handler is (1) a Web-based payment app that (2) responds to Payment Request API.
  • A preliminary version of the Payment Handler API (a draft) ships today in Chromium browsers.

For a summary of some current benefits of payment handlers, see my October 2019 post on the payment handler value proposition.

Recent Chrome Enhancements to Support Payment Apps

The Chrome team has been very active over the past six months improving payment apps. (Thank you Chrome Team!) The October post included two points related to payment apps:

  • The “sheet” is the browser supplied UX for accessing browser-stored addresses and contact information, and for selecting a payment app when more than one is available. The Shopify experiment with payment Request suggested that the sheet surprised some users. This was also borne out by Mozilla’s internal research on their own implementation of “Basic-Card.”
  • Experimentation has led browser vendors to conclude that the people closest to the details of a given payment flow should build that experience. For this reason, browser vendors are now focused on providing the “pipes” to enable excellent third-party app experiences. Indeed, realizing this in 2018, Mozilla abandoned their work on the Basic Card implementation. Similarly, in January 2020, the Chrome team followed suit and announced plans to gradually remove their build-in support for Basic Card.

Regarding the sheet, we have also heard from potential payment app providers that they would like to manage and return user contact and shipping address information and would like to manage it instead of the browser. The Chrome team therefore proposed a means to delegate requests for shipping address and contact information to payment apps.

The Chrome team has also continued to improve two payment app features:

  • Just-in-time registration, which facilitates payment app distribution.
  • Skip-the-sheet, which improves the user experience by automatically launching a payment app under appropriate conditions such as when only one is suitable for a transaction. We have also been discussing user configuration of a “preferred payment app,” which would enable automation in more scenarios.

Thanks to these changes, we are exploring a few streamlined user experiences that do not involve the sheet. They start when the user clicks a payment button, after which:

  1. If the user has only one matching payment app, the browser launches it automatically.
  2. If the user has more than one matching payment app, the browser displays an app selector instead of the sheet. Co-Chair Adrian Hope-Bailie created a presentation on the app selector approach last October. A key point of this presentation is that there is precedent for this type of user experience (see also the Web Share API). Thus, there is some expectation that app selection will be less surprising than a “sheet” experience.

Share API illustration
Sample Web Share user experience

In both flows, the payment app can open a Window for user interaction, then return data to the merchant. We have started discussions of a third flow:

  1. If the user has only one matching payment app, and the payment app has registered with the browser its ability to do “authentication only”, then the browser automatically performs biometric or OS-level authentication. The user authenticates, and the browser passes the results (the “authentication assertion data”) to the payment app. In this scenario, the payment app does not open its own Window. The entire user experience —display of total amount and other transaction information, and the prompt for authentication— is managed by the browser.

This last flow in particular is likely to make payment apps the best user experience on the Web: you push the buy button and then authenticate and you’re done. By leveraging payment apps and authentication together, we thus have the opportunity to simultaneously improve usability, privacy, and security.

One last comment about the sheet before we move on: if you have use cases that benefit from the sheet, please let us know!

Minimal UI screen shot
Minimal UI Flow

Browser Changes that Affect Payments

In parallel with our work on Web payments, browsers are changing in other ways that have an impact on payments. As a result, we are investigating which additional capabilities payment handlers might need to enable streamlined checkout in light of these changes.

Restrictions to Cross-Origin Sharing and Storage

To enhance user privacy on the Web, browser vendors are moving quickly, and with some unity, to restrict cross-origin data sharing and to clamp down on any form of browser fingerprinting. These initiatives include standardization activities (e.g., automatically blocking third-party trackers, requiring remote origins/iframes to explicitly request first-party storage access, etc.) to help harmonize these new browser behaviors.

In the payments ecosystem, merchants often rely on payment service providers who include code via iframes in merchant pages. Because of these browser changes, this third-party content will lose cross-origin access to information stored in the browser (e.g., via cookies or indexDB). My understanding is that a big motivation is to reduce tracking (especially as is done today to enable targeted advertising). However, these browser changes will also have an impact on other scenarios such as risk assessment during a payment. Browser changes may potentially break existing code such as EMV® 3-D Secure implementations. For this reason, the Chrome team recently discussed changes to SameSite behaviors with the Web Payments Working Group and presented some mitigation strategies.

I do not think we have a clear vision of the path forward. A variety of groups are discussing use cases to inform designs.

Privacy as a Priority

Beyond changes to storage, browsers are taking further steps to improve user privacy, so we have been tracking conversations on trust tokens, efforts to reduce fingerprinting, and others.

The Chrome Team also developed a privacy threat analysis of Web payments APIs. This led to a series of proposed changes to payment apps to reduce the risks of cross-site tracking, fingerprinting, and unnecessary data sharing.

The mitigation strategies we have discussed —raising user awareness about the role of the payment app, ensuring that default behaviors protect user privacy, and others— also contribute to our emerging vision. For example, the Chrome team is researching privacy improvements such as UI treatment to raise user awareness when sharing data from a payment handler with an ecommerce site.

Web Authentication is Now Widely Deployed

Meanwhile, Web Authentication —half of FIDO2 along with the CTAP spec— is now shipping in all major browsers with more and more authenticator support, all very exciting. Because strong customer authentication (SCA) plays such an important role in payments (e.g., under PSD2 regulation in Europe and in 3-D Secure flows), we are having a lot of discussions about how to combine Web Payments APIs with Web Authentication to optimize the user experience of some payment flows.

If you’d like to help raise awareness about Web Authentication, please consider joining the WebAuthN Adoption Community Group.

Continue to Part II of this post for “A Way Forward.”

The Evolution of Payment Apps (II of II)

Read Part I of this post.

A Way Forward

These various forces suggest a few main themes for a way forward.

Embrace the App part of Payment Apps

Installing a mobile app is now a familiar experience. The Progress Web App (PWA) approach attempts to make Web applications more app-like (for both mobile and desktop). By moving payment apps more in this direction, we think we can solidify user acceptance of payment app lifecycle management, and solve some of the UX challenges raised by changing browser behaviors.

The user relationship with an app begins with a registration ceremony through the browser’s UI. Although there are some concerns about adding friction to the user experience of payment app registration, we think explicit registration ceremonies can simultaneously mitigate several of the risks described in the privacy threat analysis and provide a better user experience overall.

Before describing a few ideas for registration ceremonies, here are some of the activities it could include:

  • Requiring a user gesture before a payment app can be invoked automatically (skip-the-sheet).
  • Granting first-party storage access. This level of access could enable a payment app to recognize the user (through Web Authentication or other means) and maintain a session as the user makes use of the payment app across origins.
  • Giving the user the option of installing a launch icon (on mobile or desktop) – and integration with browser settings, allowing users to more easily find and manage their registered payment apps.

It is our expectation that the user experience of interacting explicitly with a payment app will be superior to alternative checkout implementations such as iframes that require the same types of consent. In addition, we think it will create better outcomes because a user is more likely to be comfortable granting privileges to a known app than to an unfamiliar piece of code embedded in a web site.

We are likely to see a variety of payment app registration ceremonies, both during a transaction and outside of a transaction. Here are some ideas; the first two are already deployed:

  • On a site that distributes payment apps (e.g., our fictitious bobpay.com), the user clicks the “Get Bobpay!” button, which prompts the user confirm registration.
  • During a transaction, the browser offers a payment app for just-in-time registration. The user selects it, which prompts the user to confirm registration.
  • In the browser’s settings, the user can easily add and configure payment apps. Indeed, much in the way that browsers out of the box list a few well-known search engines but allow the user to add others, we’d like to see browsers list a few well-known payment apps out of the box. Browsers could provide very streamlined UX —like a single checkbox— for registering a payment app, granting first-party access, etc.

One key to these ceremonies or others will be the quality of the UX provided by the browser. One aspect of that quality may well be how well payment apps integrate into the overall app model of a given platform.

Combine Web Authentication and Web payments

The Web Payments Working Group and Web Authentication Working Group jointly discuss payments use cases. We have reviewed several proposals that we think will improve transaction flows:

  • A Web Authentication Level 2 feature allowing cross-origin iframes (e.g., code from a user’s bank embedded in a payment handler distributed by another party) to retrieve (but not create) Web Authentication credentials. This should allow code embedded in a payment handler (such as issuing bank code) to authenticate the user during a transaction without requiring a full-page redirect to another site. We think that staying near the merchant checkout context is a superior user experience than a full-page redirect to another site.
  • An enhancement to Web Authentication that enables a relying party to create Web Authentication credentials usable by itself and another origin. This feature would enable, for example, a payment handler to control the authentication experience for the user, using credentials minted by the user’s bank. The payment handler could verify the authentication for its own purposes, then pass the same credentials to the issuing bank for its own purposes. In other words: less user interaction with all the trust (by two different parties involved in the transaction).
  • A proposal to leverage the combination of Payment Handler API and Web Authentication to fulfill transaction confirmation use cases (e.g., part of PSD2 regulation).
  • A proposal to use the same user gesture for two purposes: initiate Web Authentication and launch a payment handler.

For all of these, we seek to take advantage of Web Authentication in payments flows. The last two push the relationship further and thus would require some API changes grant special powers to payment handlers.

Session Persistence: More Discussion Required

Browser behaviors around storage (e.g., clearing storage automatically after a certain number of days, limiting third-party cookies) are likely to affect session persistence. This means that users are likely to have to log in on more sites, and more frequently, adding friction to checkout and raising the risk of card abandonment.

We are currently trying to figure out whether payment handlers can be empowered to enable greater session persistence in ways that benefit the user, by building on the trust relationship the user establishes with the payment handler via explicit lifecycle management.

I’ve heard the following goals:

  • Make it very easy for users to log in. One way to increase session persistence would be to make it harder to clear cookies, but that strategy is not likely to gain traction with browser vendors. Therefore I am trying to emphasize making it “easier to get in” instead of “harder to get out.”
  • Improve security by not relying on cookies, which are exfiltratable.
  • Make it easy for users to consent to sharing information across origins for payments.
  • Minimize the need for user interaction.

Some of these things can be done today, such as one-click login using passwords stored in the browser, and Web Authentication for password-less login. Neither of those relies on cookies (point #2). Stored passwords are distinguished from cookies in the browser UX to clear stored data, and can thus be made more persistent than cookies.

New APIs are emerging that may also help, including the Credential Management API (to automate logins under some conditions).

We need to do more collaborative work with the payments industry to document requirements, and then to map those to both current and new technologies.

Code-a-thon!

We think that adoption of these proposed features would add great value to payment apps for a variety of payment flows. To prove it to ourselves, the Web Payments Working Group is running a virtual code-a-thon later this month. I look forward to seeing cool innovations and demos, and to sharing them in this forum in early June.

Before I go, I’d like to again thank all the engineers who are contributing to improving payments on the Web! And many thanks to Marcos Caceres and Danyao Wang for feedback on this post.