Meeting minutes
Survey results
https://
Top five use cases
- Authentication different merchant
- Frictionless Checkout (no user presence check or payment confirmation dialog)
- In-transaction enrollment, later authentication same merchant
- Authentication with out-of-band authenticator
- Express Checkout (no user presence check)
- Authentication by bank after redirect
<smcgruer_[EST]> Stephen: Note that this ordering doesn't pay attention to number of responses to a given use-case.
<smcgruer_[EST]> ... so Frictionless Checkout only got two votes, meaning it was outside of the top-5 for 4/6 respondents
<smcgruer_[EST]> ... we need to analyze this deeper
What is enrollment?
IJ: Question from Gerhard was "What is enrollment?"
smcgruer_[EST]: Today you need to store the credential in the browser. My view is that the RP has control and maintains the binding. They can say "This is my credential and it can be used for payment."
… if they get a payment somehow where the credential has not gone through the flow, then can choose not to accept it.
IJ: What does enrollment do?
smcgruer_[EST]: First pilot motivated us to try a standardized enrollment ux.
… we may find it is useful or not
btidor: I thought one reason for the enrollment UI was to allow it to happen in an iframe
smcgruer_[EST]: permission policy on iframe suggests it would be fine (without UX for enrollment)
… I have been thinking this could just be something that's part of webauthn
btidor: If we could just do permission policy and remove enrollment screen, that would be amazing.
btidor: SPC would allow 1p enrollment of webauthn credential (unlikely vanilla webauthn)
smcgruer_[EST]: Right, gated behind permission policy
btidor: Maybe "upgrade" and "create" permissions are different
Ian: Is enrollment in a 1p context a requirement?
btidor: I hear there's a proposal to integrate SPC into FIDO
… how do we think about what we can specify here v WebAuthN?
<Zakim> smcgruer_[EST], you wanted to note that 'In-transaction enrollment' essentially states that cross-origin iframe requires that
smcgruer_[EST]: On the question of 3p enrollment; it's sort of covered by the use case of "enrollment during transaction"
… to btidor's point, I think enrollment could wind its way to webauthn
… on authentication, i think that will solidly stay in WPWG space
btidor: That makes sense
<Zakim> AdrianHB, you wanted to ask about "instruments" in SPC vs WebAuthn?
AdrianHB: Where do payment instruments fit in? When I enroll an authenticator, do I explicitly say which instrument I will use for future auth?
… or does instrument stuff happen at auth time?
… what worries me is disconnect between instrument information and losing connection to RP
smcgruer_[EST]: We are interested in this direction - instrument is auth-time; and you are correct there is a UX issue
"At enrollment, the Relying Party should be able to provide information about zero, one, or more than one instruments, and the browser should support verbiage in the user experience that communicates what the user is consenting to."
<btidor> +1 to not precluding software authenticators!
Ian: API should abstract above "credential id" even if v1 is focused on FIDO
<Zakim> smcgruer_[EST], you wanted to discuss comment on discoverable credentials
Ian: The less we store in the browser, the less instrument selection work we can do (I think)
Editor's Note: After the meeting, Stephen McGruer wrote to the WG about this agenda item: "Having done some digging, I need to correct myself from this meeting. When we moved to allow SPC enrollment to happen in an iframe (for Origin Trial #2), our security/privacy folks were the ones who asked for an explicit browser enrollment UX, to make sure that the user was aware of what was happening. This decision isn't necessarily final, and I'm following up internally to see what might change if WebAuthn themselves allow cross-origin creation of credentials, but for now let's proceed assuming an enrollment browser UX is required (at least by Chrome; other browsers may make different decisions)."
Agenda for thursday?
<clinton> +1
AdrianHB: Yes, but let's define those topics
btidor: Might be good to talk through what we want to do that may or may not make sense from a FIDO perspective.
<mweksler> +1
<AdrianHB> +1
Next SPC task force call
28 June