TPAC Recap (2024 Edition) - Authentication, Credentials and Payments

More than 500 people from the W3C community came to Anaheim, California (23-27 September) for the 2024 Edition of TPAC, W3C’s big annual meeting. This is my personal summary of key topics and discussions that took place in different group meetings and breakouts; see in particular the Web Payments WG TPAC agenda, which includes links to minutes.

Secure Payment Confirmation (SPC)

Secure Payment Confirmation (SPC) is designed to make strong authentication during checkout flows easier and more secure. During the week:

• We heard encouraging feedback on the usefulness of the technology from pilots, including a report from Visa and a report from Mastercard.
• MercadoLibre also presented the use case for SPC in PIX, Brazil’s fastest growing payment system. This is the second year in a row that we’ve heard strong demand for support for PIX.
• Through a presentation on regulatory trends, Fime made clear some of the strong authentication requirements common to several regions of the world. This presentation underlined the importance of “possession factors” to strong authentication solutions, including SPC.
• Passkeys have gained significant traction as the future of Web login, but synced passkeys “sacrifice” a strong possession factor in the name of usability because they can be shared between devices. That makes good sense for login use cases, but makes it harder to use passkeys on their own for payments use cases.
• For that reason we spent a good amount of time discussing a proposal to enhance SPC with what we started calling a “browser-based key.” At a high level, when a user authenticates through SPC, the API would return both a Web Authentication assertion with a signature over the transaction detail and a second signature using an additional private key local and specific to the device and secured by the browser. During Thursday’s meeting we walked through a draft list of requirements for this new feature and I anticipate that we will add those requirements to the discussion about the feature over the next week or so. The requirements should help use ensure the feature fulfills regulatory expectations in Europe and beyond.
• On Tuesday, the Web Payments Working Group met jointly with the Web Authentication Working Group to discuss the proposal. The Web Authentication Working Group had developed two proposals that would have added a possession factor back to passkeys: the devicePublicKey extension and subsequent supplementalPubKeys extension. However, the Web Authentication Working Group has dropped those proposals for the general passkeys-for-login use cases. For that reason, the Web Payments Working Group pitched the idea of adding a similar feature to SPC. We made the case that since SPC has a built-in “transaction confirmation” user experience, the browser has confidence the user is choosing to authenticate to make a payment. Therefore, the browser can more comfortably provide more information about the device after a successful authentication. We heard some support for adding such a possession factor to SPC and no objections.
• Finally, the Chrome Team also showed some UX mock-ups of the new user experience features of their implementation of SPC. The UX has been evolving based on pilot feedback and we heard at the meeting appreciation for these improvements.

My hope is that between now and the end of the year, the Working Group will (1) publish a set of requirements for a new “browser-based key” feature of SPC and (2) the Chrome team will implement the feature (and update the specification) to enable experimentation.

Digital Credentials

The Digital Credentials API explainer usefully frames the current hot topic of digital credentials and wallets on the Web:

“Government-recognized documents play a big and constructive role in society (e.g., drivers licenses, passports, etc.). Increasingly, with the movement of government and financial services online, and regulation (e.g. eIDAS and various age verification regulations), these paper-based documents are gaining digital counterparts.”

What W3C technologies might play a role in a digital credentials ecosystem where digital credentials are issued, stored in wallets, presented during interactions on the Web and subsequently verified? The following list is just a starting point:

• Digital Credentials
• Credential Management
• Verifiable Credentials
• WebAuthn / Passkeys
• Payment Request / Payment Handlers
• Secure Payment Confirmation (SPC)
• FedCM
• Device Bound Session Credentials

During the Web Payments Working Group meeting we held a session on digital credentials and payments to socialize ideas for an architecture for digital credentials for e-commerce transactions. My main take-away (other than this is a hot topic) is that the payments community at W3C needs to become more involved in the broader digital credentials work. It also struck me during the conversation that some of the current momentum for non-payments use cases may lead to new approaches for credential exchange that look like the Payment Request and Payment Handler APIs. We will want to share our experience with those APIs in ongoing discussions and also track whether a broader digital credential exchange approach might gain more traction than the Payment Handler API has had to date. There were many other sessions about digital credentials at TPAC in various group meetings. In addition, Tim Cappalli led a breakout discussion titled “Real World Identity and the Web... Continued”; I found the slides from that presentation quite interesting.

All the other topics!

Our discussions covered many other topics during week, which I greatly appreciated and know we will continue to work on:

• Fraud trends (led by Entersekt)
• Regulatory trends (led by Fime and Worldline)
• Merchant perspectives (led by MAG)
• Improving address autofill (led by Shopify)
• Ideas for using Device Bound Session Credentials and CHIPS with EMV® 3-D Secure (led by Fime)
• Ideas for using Web Authentication and GNAP with EMV® Secure Remote Commerce (led by Fime)
• Web technology and experiences with PCI v4 (led by Shopfiy)
• Updates from the FIDO Alliance (trust signals, credential exchange)
• Joint discussions with the Anti-Fraud Community Group about the use of IP Addresses in fraud mitigation for payments

W3C @ 30

I’ll close by mentioning the W3C @ 30 Gala where the community celebrated 30 years of W3C’s activities to build a Web for everyone. I encourage you to check out the W3C @ 30 video (which even mentions Web payments!). Speakers at the Gala shared moving stories about how the Web transformed their lives. Their stories (and TPAC generally) reminded me how important it is to pause our technical discussions from time to time and acknowledge our positive impact on so many people’s lives, at the scale of the planet. TPAC remains my favorite work week of the year.

Photo of the Web Payments Working Group Meeting