Web Payments Meeting (May 2022 Edition)
In early May the Web Payments Working Group held an energetic remote meeting; see the agenda and minutes.
While we were meeting, the FIDO Alliance released a press release with headline Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins. This type of strong industry support for Web Authentication/FIDO is very exciting because Secure Payment Confirmation (SPC) builds on those technologies and benefits from the momentum.
In preparation for advancing SPC to Candidate Recommendation we have been working through our issues list and stabilizing the version 1 feature set. We closed 7 issues in the past month including through joint discussion with the Privacy Interest Group and the Web Authentication Working Group. We have also labeled some issues as "after version 1." See below for details about how we plan to manage the remaining 10 issues.
At the meeting we heard a bit about recent changes to the Chrome implementation of SPC and upcoming plans. Modirum colleagues provided a demonstration of their EMV® 3-D Secure implementation (version 2.3) that integrates SPC. Airbnb and Adyen shared a brief update on their SPC pilot. We will continue to look for support in more browser engines and refine the specification based on feedback from pilots.
We also discussed Web Authentication more broadly. Best Buy has deployed Web Authentication for login and shared some of their experiences with the group. We also heard about some PSD2 use cases from (French bank) BPCE. In addition to SCA and dynamic linking for payments —the use case for SPC— they have similar requirements for authentication and signatures over transactions involving sensitive data. General browser support for signing transaction data with authenticators has been discussed previously in the Web Authentication Working Group; our recent joint discussion with them may re-energize the topic.
Here is a quick summary of our remaining 10 issues and how we plan to address them on the road to Candidate Recommendation.
Web Authentication Topics
The bulk of our remaining issues relate to the SPC dependency on FIDO. In some cases, we think the proper long-term solution will involve enhancements to WebAuthn and/or CTAP:
- Issue 12: support for roaming authenticators. This issue involves both UX challenges and the need for support in CTAP for silently querying roaming authenticators for available credentials.
- Issue 124: determining when to enroll the user (in a way that protects user privacy)
- Issue 157: support for a "cross-origin" bit and CTAP; issue 154 relates to this and is about user consent to allow cross-origin reuse of a credential>.
- Issue 175: impact of multi-device credentials on SPC.
- Issue 187: improving understanding of who is authenticating for whom
I expect the Working Group will try to (1) balance the desire to advance SPC to Candidate Recommendation in a timely fashion with (2) remaining in sync with FIDO advances. It may be that SPC implementations support short-term solutions to some of these issues (e.g., involving caching information) and then evolve as underlying specifications support new capabilities.
Stripe asked in issue 172 how to enable a user to opt-out of stored payment credentials for compliance with regulation such as GDPR. In scenarios where the user authenticates in a first-party context, it is straightforward to offer an opt-out feature. With SPC, authentication may happen in a third-party context where it is less obvious how best to offer an opt-out solution. We have been discussing when it would be most appropriate to provide the user with information about how to opt-out:
- At registration time.
- At transaction time, before authentication starts
- At transaction time, during authentication. Overall I've not heard much support for opt-out during authentication.
- At other times.
These discussions are ongoing; Stripe plans to conduct a deeper analysis of their requirements.
I raised issue 77 with the hope that we would find a technology solution to preserve privacy as SPC credentials are shared across origins. We have not found a practical technology solution. Our current plan (see pull request) is to provide guidance to relying parties and others on how to manage identifiers.
In order to better align with EMV® 3-D Secure requirements we've received a request that the Chrome implementation of SPC display larger icons (issue 184). EMVCo colleagues have also suggested additional UX enhancements such as the display of additional icons.
I look forward to our next extended meeting —TPAC 2022 in Vancouver— by which time I hope that we will have reached Candidate Recommendation (or come very close).