<scribe> Scribe: Ian
Ian goes through: https://www.w3.org/2018/Talks/ij_tpac_auth/#14
Brian: The approach makes sense.
Standardized data set makes sense for 3DS.
... having consistency coming from browsers makes sense
IJ: From 3DS perspective, an improvement could be method_url implementation using a new browser API
Brian: That approach is how it's done in native.
IJ: Yes, part of goal is to get standardized data.
Brian: Feedback from industry on
standardized device idea was risk of spoofing
... The end goal is to have enough information to make a risk
assessment
... the information being browser-based, there are things that
are generically available (6 or 7 high-level data points)
... those have some relevance but don't tell the whole
store
... if there were a way to get attestation about the data, that
would be helpful.
... knowing same browser + user would be relevant
... but additional context useful ("e.g., same browser in a
different country")
... good signal to have server vouch for data
Rouslan: Google would either
essentially trust the browser or not
... that's as far as we have thought through this
... we could also think about providing a "level of
confidence"
... but at a certain level of confidence we would stop talking
to the browser entirely, and the browser could not contact the
google server to get a score
... so essentially the only possible value you could get from
google is "99%" or "100%" ...which is not very useful
Brian: there are multiple signals. One signal like "trusted browser" is relevant
Rouslan: have a look at https://github.com/w3c/webpayments/wiki/DeviceDataAPI
Brian: I think the end game is to
unify browser and in-app scenarios.
... One reason auth may not be good enough is that it's only as
good as the initial enrollment (ID&V)
Jonathan: Two use cases (1) user does not have FIDO authenticator (2) ID&V is not done well
Brian: Summary - get relevant data, consistent data, low friction user experience
Ken/Brian: Fraud is like water
IJ: I would like input on:
- the slide deck https://www.w3.org/2018/Talks/ij_tpac_auth/
- This proposal: https://github.com/w3c/webpayments/wiki/DeviceDataAPI
- Any other written down proposals for how the browser could provide relevant, standardized, and trusted signals for risk analysis.
3 October (regularly scheduled) call
IJ: If we don't have feedback at that time, we'll postponed until TPAC
Jonathan: Let's meet in 2 weeks instead.
Ian: I am at risk
... let's aim for 3 October and if not, then schedule a week
later