Risk Analysis, Device Identification, and Privacy

Risk Analysis, Device Identification, and Privacy

Ian Jacobs

August 2019

Overview

EMV® 3DS Design Goals

Different EMV® 3DS Trust Environments

Some Comparisons

SDK JS
Certification Yes No
Data Encryption Yes No
Unique ID Yes No
UX Controlled* Yes No

Web approach: Browser fingerprinted via injected JS from issuer.

*Not covered in this deck.

Limitations to this Approach

How can we improve this?

On Cookies

Note: use case for bank-issued payment handlers since user visiting origin doing risk assessment

On FIDO2

Some comments Ian has heard:

On Browser-generated Identifiers

Browser-generated ID Criteria

Discussion Topics

Note: Good to find solutions that work for multiple payment methods!