13:48:23 RRSAgent has joined #wpwg 13:48:23 logging to https://www.w3.org/2022/05/05-wpwg-irc 13:48:32 Meeting: Web Payments Working Group 13:48:49 Agenda: https://github.com/w3c/webpayments/wiki/Remote-Agenda-202205 13:48:55 Scribe: Ian 13:49:07 RRSAGENT, make minutes 13:49:07 I have made the request to generate https://www.w3.org/2022/05/05-wpwg-minutes.html Ian 13:49:10 RRSAGENT, set logs public 13:51:27 present+ Ian_Jacobs 13:59:39 present+ Stephen_McGruer 13:59:43 present+ John_Bradley 14:00:17 present+ Erhard_Brand 14:00:36 present+ Carey_Ferro 14:00:40 present+ Steve_Cole 14:00:52 Carey has joined #wpwg 14:01:24 present+ Nick_Burris 14:01:27 present+ Haribalu_V 14:01:37 present+ Praveena_Subrahmanyam 14:01:42 present+ Anne_Pouillard 14:01:52 present+ Bart_de_Water 14:01:57 present+ Richard_le_Dain 14:02:12 praveenas has joined #wpwg 14:02:19 Anne has joined #wpwg 14:02:58 present+ Adam_Kelly 14:03:05 present+ Jayadevi 14:03:08 present+ Michael_Horne 14:03:18 present+ Doug_Fisher 14:03:22 present+ Uno_Veski 14:03:25 present+ Ryan_Watkins 14:03:31 present+ Hemnath 14:03:42 bdewater has joined #wpwg 14:04:10 present+ Christiaan_Brand 14:04:17 dougf has joined #wpwg 14:04:24 Uno has joined #wpwg 14:04:56 present+ Sameer_Tare 14:05:02 present+ Gerhard_Oosthuizen 14:05:15 Gerhard has joined #wpwg 14:05:17 present+ 14:05:50 Hemnath has joined #wpwg 14:06:35 present+ John_Fontana 14:07:45 Topic: Web Authentication WG 14:08:16 present+ Sami_Tikkala 14:08:20 present+ Tomoya_Horiguchi 14:08:37 present+ Anwar_Moco 14:08:37 bryanluo has joined #wpwg 14:08:42 present+ Bryan_Luo 14:09:29 present+ Manish_Garg 14:11:31 present+ Tim_Cappalli 14:16:29 http://www.w3.org/2022/Talks/wpwg-authn-202205/wpwga-202205.pptx 14:16:29 http://www.w3.org/2022/Talks/wpwg-authn-202205/wpwga-202205.pptx 14:17:09 IJ: What is status of request to FIDO2TWG? 14:17:32 smcgruer_[EST]: Proposal has been made; we had an initial discussion on Tuesday (this week); they have assigned some reviewers. 14:17:54 present+ Krithi 14:18:09 John_Bradley: Will be a topic of conversation at FIDO plenary in 2 weeks 14:18:23 ...after a first read of the proposal extension makes sense. 14:18:30 ...will probably have to have discussions about what the response means. 14:18:59 ...if a fido authenticator does not understand the bit you won't get it back in the response; that could be a useful signal 14:19:25 ...what goes into the extension and how is it treated by the RP? 14:19:53 John_Bradley: Rather than have the platform management flags, I prefer the individual extension flag to allow authenticators to manage the storage. 14:20:10 Ian: Who is participating from WPWG in the FIDO meeting? 14:20:14 benoit has joined #wpwg 14:20:42 Christiaan: I"ll be there and will work with Stephen 14:21:32 present+ David_Benoit 14:21:43 Ian: For WebAuthn, what has to happen and how do we get it done? 14:21:54 JohN_Bradley: WebAuthn just passes through the extension during create(). 14:22:09 Ian: Is the extension defined in a W3C specification? 14:22:16 q+ 14:22:17 John_Bradley: It would more likely be CTAP 14:22:50 ...since relies on changes to the protocol 14:23:06 ack smcgruer_[EST] 14:23:42 smcgruer_[EST]: Agree that there are no "client processing steps" at creation time. 14:23:48 Steve_C has joined #wpwg 14:24:14 ...but for WebAuthn folks, given that we want to expose this in a way similar to Conditional UI, is there a WebAuthn spec change for credential listing APIs? 14:24:41 ChristiaanBrand: We are talking about the client querying the story; this is outside of scope of WebAuthn itself IMO 14:24:55 s/story/credential store 14:24:57 SameerT has joined #wpwg 14:25:07 present+ 14:25:11 John_Bradley: Because platform authenticators do some proprietary things, there is no defined API between browser and platform authenticator. 14:25:31 ...closest we may have is Akshay API that will expose information from windows platform authenticator to browsers running on windows. 14:25:37 ...but that's not in any specification. 14:26:00 smcgruer_[EST]: So I hear 2 work streams (1) working with platform authenticators (2) for remote authenticators, CTAP changes 14:26:32 John_Bradley: We have to figure out in CTAP a standardized way to say "this bit is exposed this way in credential management output" 14:27:00 ...there are two ways the platform could get at the information, doing a get() with or without allow list and iterating through credential list, or using credential management API. 14:27:23 q+ to comment on SPC's extension today - https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration 14:27:25 q? 14:28:02 John_Bradley: Some of this is CTAP work and will require collaboration. 14:28:03 ack smcgruer_[EST] 14:28:03 smcgruer_[EST], you wanted to comment on SPC's extension today - https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration 14:28:48 smcgruer_[EST]: We do have an extension in the SPC spec. At registration time, the client extension steps (1) enable cross-origin creation, which we'd like to move out of SPC (2) they do some enforcement on forcing discoverable credentials, etc. 14:28:55 ...we might be able to remove client steps at registration 14:29:07 ..but at authentication time, we put payment information in client data. 14:29:20 ...we'll either need to move this into WebAuthn or keep it in SPC. 14:29:25 ...are you ok with an extension defined in SPC 14:29:30 present+ Tony_Nadalin 14:29:50 John_Bradley: Probably most appropriate for WebAuthn 14:30:15 ...we should also consider whether the extension information is passed on through to the authenticator so that authenticators with displays can also display it. 14:30:37 ...e.g., CABLE scenario, where the display of information can be displayed on different screens. 14:30:51 ...there are reasons to prefer mobile device (e.g., less malware) 14:31:04 ...so there's probably a good argument for passing data through to authenticators that can display it 14:31:32 q? 14:32:07 q+ 14:32:31 [Brief side discussion on I18N here] 14:32:54 John_Bradley: Note that the authenticator would not be storing some information (due to space constraints) 14:33:04 ack smcgruer_[EST] 14:33:34 smcgruer_[EST]: How should we resolve question of where information goes? 14:34:13 John_Bradley: We have to figure out what comes back in the extension (e.g., hash of what was displayed) that can be compared to collected client data. 14:34:27 smcgruer_[EST]: I think the payment industry needs it to be signed over. 14:34:38 John_Bradley: In the signed extension you'd get back a hash of what the display information was. 14:35:32 jonathan_ has joined #wpwg 14:37:09 John_Bradley: We need to be sure that in the spec, if we are going with extension, that existing roaming authenticators without this extension would still be usable with SPC in a 1p context, assuming they support discoverable credentials. 14:37:27 ...we should make sure that, in the short term, the population of existing roaming authenticators work in a 1p context. 14:37:52 John_Bradley: As long as we define the extension in the right way, it should make that easier. 14:39:49 John_Bradley: When WebAuthn client sees extension for special bit, then the client may take multiple paths to enumerate available credentials. 14:39:56 ...so there's probably some platform processing things that we'd want to change. 14:40:07 present+ Jonathan_Grossar 14:40:15 present+ Christian_Aabye 14:40:29 Hemnath_ has joined #wpwg 14:40:39 John_Bradley: Some of that extension processing would happen only in the SPC context. 14:42:03 Things that have to be done: 14:42:07 * Define the extension 14:42:13 * Figure out the UI (and where that is specified) 14:42:27 Tony: We have to look at "is this useful for anything else for webAuthn?" 14:43:17 ChristiaanBrand: We should look at generic transaction signing again in WebAuthn 14:45:02 present+ Wendy_Seltzer 14:45:06 [Issue 154] 14:45:30 John_Bradley: Anybody that implements a user dialog about opt-ing out. I think this should not be in WebAuthn. Could be done at the platform layer. 14:45:52 +1 14:45:52 ...e.g., chrome could allow someone to allow setting the bit, and the RP would know because they would not get the extension back. 14:46:11 q? 14:46:26 Tony: If we leave it up to the platform to do the dialog, it will be done differently everywhere, which will also be confusing. 14:46:50 John_Bradley: Saying you need to do a dialog has not created conformity across browsers to date. 14:47:04 John_Bradley: I'm against forcing browsers to have this dialog. 14:47:07 Tony: +1 14:48:10 John_Bradley: Extra dialogs will create drop-off. We may see banks, for example, causing users to create 2 credentials (one for 1p, one for 3p) 14:48:33 q+ 14:49:20 smcgruer_[EST]: I don't think from a user perspective that SPC is different here from WebAuthn in an iframe. 14:49:43 Tim: I agree with that point. This discussion reraises issue of naming RPIDs in dialog 14:50:22 [Issue 128] 14:51:01 smcgruer_[EST]: There is an existing tracking concern around WebAuthn and tracking, where RP somehow registers user in a malicious context, and then later the malicious tracker activates web authn in a 3p context. 14:51:21 ...our privacy folks said SPC lowers bar slightly during registration (in a cross-origin iframe). 14:51:29 ...there are protections against this (e.g,. permissions policy) 14:51:36 ...so our privacy folks asked for user activation 14:51:44 ...so our plan is to fold this in. 14:52:48 Tony: This would affect WebAuthn (user activation) 14:53:18 smcgruer_[EST]: It only affects you if you are creating a payment-labeled credential. Longer term could be better in WebAuthn. 14:55:23 +1 to Stephen's point 14:55:25 smcgruer_[EST]: we would like to have the conversation about cross-origin registration in WebAuthn; payment industry partners would like that in order to use more WebAuthn 14:55:42 John_Bradley: Is this "user activation" for iframe only or all credentials? 14:55:51 smcgruer_[EST]: Currently it's only for cross-origin create 14:56:11 John_Bradley: Cross-origin creation not allowed in WebAuthn; if we add it, then user activation is probably a good idea. 14:56:43 s/Currently// 14:57:22 Manish has joined #wpwg 14:58:12 [Issue 12 roaming authenicators] 14:58:30 John_Bradley: We heard from BPCE yesterday that they would want roaming authenticators. 14:58:59 q+ 14:59:03 ack smcgruer_[EST] 14:59:06 q- 14:59:08 ack Gerhard 14:59:32 Gerhard: Yes, we would love roaming authenticators. But for it to roam, we would need "no caching" 15:00:12 q+ 15:00:18 John_Bradley: Browser only needs to store information for credentials to be used in a 3p context. 15:00:26 ...would work now without that bit in a 1p context. 15:00:49 ack smcgruer_[EST] 15:01:18 smcgruer_[EST]: The important part of SPC is we only show the transaction dialog when there is a chance the user can succeed (a form of conditional UI, as it were). 15:01:43 ..it means there's a matching credential nearby. This is trickier for roaming authenticators. Today we do it for platform authenticators via cached data. 15:01:57 ...if we want to do it without the spc bit, we'd need to cache ALL FIDO credentials. 15:02:45 John_Bradley: The SPC bit is about "this credential can be used in a 3p context for SPC". 15:03:18 ...I think banks will want to be able to use FIDO credentials with SPC in a 1p context. 15:03:44 Christiaan: I think this roaming authenticators for bank use cases is a great use case. 15:04:11 John_Bradley: The question is the SPC dialog ... to cause SPC to go look for another authenticator. 15:04:36 Ian: How is this managed today? 15:04:57 John_Bradley: Non-modal UI is not there yet but coming. I believe there will be an additional option for roaming authenticators. 15:05:21 ...we did start a conversation on pairing a roaming authenticator with platform so that credentials could be pre-populated and cached. 15:05:39 ...it's not really a problem if all discoverable credentials are displayed. 15:05:52 ...if it's not appropriate for SPC, then the verifier should not be sending the credential ID 15:06:23 q? 15:06:46 q+ 15:06:55 John_Bradley: We'd have to understand conditions under which this optional UX could be displayed. 15:07:18 ...would need to indicate that someone wants to use an external authenticator. 15:07:35 ...not sure that cacheing all the credentials from roaming authenticators is that big a problem. 15:07:50 smcgruer_[EST]: The cacheing idea is interesting, but might be better at platform level rather than browser level. 15:08:17 Tim: There's definitely a benefit of link type function at OS 15:08:32 Christiaan: Are we saying that new roaming authenticators won't work? 15:08:57 John_Bradley: Maybe first time you plug in your key you are asked "do you want to use this for secure payments" 15:09:14 Tim: I think it would be like when you plug phone into computer and there's a pairing experience / dialog 15:09:24 Christiaan: I Think sounds reasonable to cache data 15:09:26 q+ 15:09:36 John_Bradley: We can do this now with credential management 15:09:38 ack Gerhard: 15:09:39 ack Gerhard: 15:09:55 Gerhard: We don't want to deviate in UX and other processes. 15:10:38 ...if 3DS sends back 5 credentials (2 platform, 2 phone, 1 roaming)....I am hearing that Stephen wants to know that there are 2 that work 15:10:45 ...Stephen is cacheing the first two 15:11:40 ...until we are clear on WebAuthn way forward, we don't want to implement it in SPC 15:11:58 q? 15:12:00 ack Gerhard 15:12:21 ack smcgruer_[EST] 15:12:48 [Stephen shows a demo] 15:13:49 ...you could plug in security key in dialog that tells user no credential found. 15:14:14 ...so in this case, WebAuthn ceremony could be triggered first, and then only after the tx dialog would be shown 15:14:51 ...if I've never registered, there is a UX issue. 15:15:12 ...I like John's pre-cacheing idea but even without that there are some things we could do. 15:16:36 John_Bradley: If Non-modal UI is used to get the list of credentials; that can also be used to expose the credentials from roaming authenticators 15:17:07 q+ 15:17:10 ack SameerT 15:17:32 SameerT: Does the RP know that a credential comes from a roaming authenticator? 15:17:38 John_Bradley: You get back a transport hint. 15:17:51 ...so "USB" and "NFC" and "BLE" give you some information 15:18:06 dom has joined #wpwg 15:18:58 Tony: Are you sure this is checked at certification? 15:19:10 JohN_Bradley: It is checked that it is provided; not that it is accurate 15:19:40 SameerT: If the RP knows that the device being used is a roaming authenticator, they may not send it if the UX will break. 15:19:47 q? 15:22:07 RRSAgent, pointer 15:22:07 See https://www.w3.org/2022/05/05-wpwg-irc#T15-22-07 15:23:49 [SPC 174] 15:23:57 John_Bradley: Depends on timing; when extension codified. 15:24:03 ...we should probably redefine the extension. 15:24:09 ..the extension is "Device Public Key" 15:24:27 ...please return me a flag so that I can tell whether the credential is being used on the same device or a new device. 15:24:40 ..for security purposes a verifier can tell whether this is a new device. 15:25:03 Tim: The RP does NOT need to request the extension. 15:25:16 ...the flag is set at creation time 15:25:58 John_Bradley: We should make sure that SPC causes platform discoverable credentials created on Android to emit the device public key extension 15:26:26 Tim: Suggest not hard coding the extension in SPC 15:27:21 John_Bradley: If we don't require it as "always being required" then we need to tell all merchants that they need to include it. Request is potentially coming from a 3p 15:27:29 ...that's why making it mandatory in SPC would simplify some things 15:27:34 Tim: I do agree with that. 15:28:02 Tim: Are these banking folks ok with the change? 15:29:33 Jonathan_Blocksom: Here at Capital One, we'd send fact of new device to our risk engine; it would probably send a request for MFA at that point. 15:29:37 present+ Joe_Vasterling 15:29:55 Tim: That's exactly how we imagine this being used. So I guess I am in favor of requiring it. 15:30:49 ACTION: Ian to work with all the chairs to schedule continued coordination time with WebAuthn 15:31:01 RRSAGENT, make minutes 15:31:01 I have made the request to generate https://www.w3.org/2022/05/05-wpwg-minutes.html Ian 15:31:26 Topic: Best Buy experience with WebAuthn for Login 15:32:20 Joe: We've been looking at WebAuthn for frictionless login with good security 15:33:06 ...there is an option to select WebAuthn to log into your profile 15:33:19 ...there are a few hurdles we've seen 15:33:25 ..first one is "what do we call this"? 15:33:49 ...it's not easy to relay to customer what they will be doing. 15:34:01 q+ Tony 15:34:34 Joe: We are also hearing from our devs that the technical documents can be confusing / in complete. 15:34:57 ack Tony 15:35:16 Tony: Do you think people understand what WebAuthn is? They understand "sign in with Google" etc. 15:35:29 Joe: I agree. That friction we are feeling is that consumers may not get it 15:35:55 ...they are starting to communicate more closely to familiar phrases. 15:36:20 Tim: In the press today we are making an industry push to call this "Use a Passkey" 15:36:30 ...we'd like to move away from platform specific branding 15:36:34 ...we are pushing strongly for this. 15:36:42 https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/ & https://blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/ & https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/ :) 15:38:01 Tim: We think this is a good approach moving forward. 15:38:34 Joe: Where are we in our journey? Testing and learning. 15:38:51 ...I appreciate the press release today describes things that will be helpful from a UX perspective. 15:39:48 [Joe shows a demo of how this works today on bestbuy.com] 15:39:57 present+ Dominique_Hazael-Massieux 15:40:09 q+ 15:40:38 [Joe lists benefits of using FIDO over passwords] 15:40:50 Joe: We see the value; key is to test and learn 15:40:59 ack smcgruer_[EST] 15:41:12 smcgruer_[EST]: Small question on the demo - right at the start there is a best buy mobile UI 15:41:20 ...did the user click a button to cause that modal to show up? 15:41:39 Joe: It pops up post registration 15:43:35 Ian: Anybody want to speak to documentation? 15:44:07 q+ 15:44:10 q+ 15:44:14 ack Gerhard 15:44:35 Gerhard: Regarding the device spread you've seen with this (between Mac, Windows, Android)... 15:45:02 Joe: Right now primarily on desktop (Chrome, Edge) 15:45:23 ...for our in-app experience, I could see what information we are seeing in terms of adoption. 15:46:08 Dom: Thank you for the presentation. You indicate that your team found gaps in documentation. Is that documentation on the API itself, or the overall user journey with WebAuthn? We have a WebAuthn Adoption CG 15:46:22 ...we'd be keen to get feedback from your team on challenges they hit 15:46:25 -> https://www.w3.org/community/webauthn-adoption/ WebAuthn Adoption Community Group 15:46:41 Joe: The big piece was API documentation. 15:46:50 ...the documentation was perceived as "confusing" 15:47:06 ...they felt it was incomplete; they had to figure out how to connect the dots to make the final API call. 15:47:31 ...I can ask internally for more specific. 15:48:04 q? 15:48:07 ack me 15:48:09 ack dom 15:48:25 Ian: Plans? 15:48:30 Joe: It's on and people are monitor ing 15:48:41 ...we are also getting feedback through surveys 15:48:49 s/monitor ing/monitoring/ 15:49:15 ...I think there is interest in using this an expanding where we can 15:49:49 John_Fontana: Are you using this in an enterprise context? 15:49:58 Joe: I don't think they are looking at this today 15:50:16 ...I will check with technical teams on other interests. 15:51:08 Topic: User Recognition 15:51:45 Ian: [Presenting slide deck] 15:52:07 ... talked previously in this WG around changes in privacy in browsers 15:52:13 ... at TPAC people said user recognition important 15:52:22 ... two threads (1) fraud mitigation, (2) returning users for flows like SRC 15:52:41 ... Update: Anti-Fraud CG started meeting this year; so far approved charter and close to approving use-cases 15:52:51 ... some emerging proposals for the use-cases 15:53:03 ... Have invited them to the WPWG to share updates 15:53:51 ... On the returning user flow; some use-cases have come up - SRC (remember SRC identity), Open Banking (remember preferred bank), ... 15:54:34 ... There are some approaches without 3p cookies with UX: pop-up, Storage Access API, WebAuthn+Conditional UI 15:55:01 ... For conditional UI, strongly attached to autofill in Chrome currently, but we may be interested in other experiences that aren't autofill-based. For later discussion with WebAuthn WG 15:55:34 ... Other technologies that don't seem applicable: Trust Tokens, isLoggedIn - they both lack user info 15:56:22 ... The First Party Sets proposal may be useful for use-cases like SRC, where there are multiple networks 15:57:19 ... to wrap-up - want to look at Conditional UI for SRC 15:57:31 ... plus - what are we missing in general? 15:58:30 smcgruer_[EST]: There's a slightly broader scope for user recognition than you speak to: there are also use cases where PSPs have experiences they want to provide across merchants. 15:58:40 ..suppose I have "Stephen's Shop" online 15:59:09 ...I think there are more use cases than Ian covered. 15:59:25 q? 16:00:42 Topic: Next meeting 16:00:43 26 May 16:01:21 RRSAGENT, make minutes 16:01:21 I have made the request to generate https://www.w3.org/2022/05/05-wpwg-minutes.html Ian 16:01:27 RRSAGENT, set logs public 16:01:42 Thanks for all the preparations and material, Ian! Great sessions. 16:45:09 bryanluo has joined #wpwg 16:46:15 /dialog koalie 17:16:41 bryanluo has joined #wpwg 17:17:11 bryanluo_ has joined #wpwg 17:18:59 bryanluo has joined #wpwg 17:35:41 bryanluo has joined #wpwg 18:01:33 bkardell_ has joined #wpwg 18:17:23 Zakim has left #wpwg