07:26:59 RRSAgent has joined #wpwg 07:27:03 logging to https://www.w3.org/2023/09/11-wpwg-irc 07:27:05 Gerhard_ has joined #wpwg 07:27:10 Meeting: Web Payments WG 07:27:22 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2023 07:27:29 Chair: Nick TR 07:27:47 Scribe : nicktr, Gerhard_ 07:28:01 Scribe: nicktr, Gerhard_ 07:33:02 benoit has joined #wpwg 07:33:25 Arman has joined #wpwg 07:33:36 present+ Arman 07:33:45 present+ benoit 07:34:23 present+ canton 07:34:56 present+ Stephen_McGruer 07:35:07 present+ Helen_Qin 07:35:16 present+ Rick_Byers 07:37:51 Dingwei has joined #wpwg 07:39:00 tomasz has joined #wpwg 07:39:47 Sami has joined #Wpwg 07:39:55 Sami has left #wpwg 07:40:27 JMGirard has joined #wpwg 07:42:35 nick_s has joined #wpwg 07:42:57 gkok has joined #wpwg 07:43:03 SameerT has joined #wpwg 07:43:07 westin has joined #wpwg 07:43:18 solai has joined #wpwg 07:43:19 aidanfoley has joined #wpwg 07:43:30 sarahob has joined #wpwg 07:43:33 jonathan has joined #wpwg 07:43:35 HelenQin has joined #wpwg 07:43:58 JeanLuc has joined #WPWG 07:43:59 OlivierMaas has joined #wpwg 07:44:02 Adam_ has joined #wpwg 07:44:37 q+ 07:44:39 fahad has joined #wpwg 07:44:42 Peter_ has joined #wpwg 07:44:47 Dingwei_ has joined #wpwg 07:45:00 kenneth has joined #wpwg 07:45:16 bryanluo has joined #wpwg 07:45:31 Bastien has joined #WPWG 07:45:34 Vinoth has joined #wpwg 07:45:35 q+ to offer to scribe when I'm not talking 07:45:36 q? 07:45:51 benoit has joined #wpwg 07:45:56 bfeigel has joined #wpwg 07:45:58 q- 07:46:00 q+ 07:46:16 q- 07:46:38 sioked has joined #wpwg 07:48:18 20 for dinner tonight 07:48:39 TEngland has joined #wpwg 07:48:59 doug_F has joined #wpwg 07:49:26 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2023 07:49:42 https://w3c.zoom.us/j/88600469011?pwd=SDhRRGhseXgyd1BCcUlBRHZWTEZ0UT09 07:49:46 Meeting details 07:49:46 Sami has joined #wpwg 07:50:29 zakim, who is here? 07:50:29 Present: Arman, benoit, canton, Stephen_McGruer, Helen_Qin, Rick_Byers 07:50:31 On IRC I see Sami, doug_F, TEngland, sioked, bfeigel, benoit, Vinoth, Bastien, bryanluo, kenneth, Dingwei_, Peter_, fahad, Adam_, OlivierMaas, JeanLuc, HelenQin, jonathan, sarahob, 07:50:31 ... aidanfoley, solai, westin, SameerT, gkok, nick_s, JMGirard, tomasz, Gerhard_, RRSAgent, Zakim, hari, tminamii, pea1358, canton, benoit_, rouslan, dlehn, nelsoncwwu, 07:50:35 ... TimCappalli, imlostlmao, npd, Github, hober, Dongwoo, smcgruer_[EST], nicktr, wanderview, hadleybeeman, ljharb, tobie, rbyers, slightlyoff, Ian, weiler 07:51:01 Tabitha has joined #wpwg 07:51:21 present+ evan_jacobs 07:51:44 topic: Stripe SPC update 07:52:18 evan_jacobs: Regulation is driving friction in payments 07:52:30 ...particularly in 3DS 07:52:48 ...we have been looking at biometric authentication 07:53:11 ...we look to see if we have seen a device before 07:53:17 q? 07:53:28 ...if new, we enrol via 3DS 07:53:59 ack sm` 07:54:02 ack smcgruer_[EST] 07:54:03 smcgruer_[EST], you wanted to offer to scribe when I'm not talking 07:54:09 present+ 07:54:14 Stephen is the expert here :-) 07:54:30 evan_jacobs: shows flow 07:54:43 present+ bryanluo 07:55:06 ...shows SPC "opt in" 07:55:19 q+ 07:55:22 q+ 07:55:31 present+ 07:55:56 Gerhard_: I see you are using "biometrics" not "passkey" 07:56:07 bkardell_ has joined #wpwg 07:56:07 ...does that cause issues when biometrics are not available 07:57:04 aidanfoley: we will be revisiting all of the UX but we went with biometrics as the cue that would provoke users the most 07:57:15 ack Gerhard_ 07:57:20 q- 07:57:56 evan_jacobs: shows returning user case 07:58:53 ...throughout the the user flow, opt out is available 07:59:16 ...turning to results. We are seeing a 7% improvement in authentication success 07:59:43 ...when returning users choose biometrics, success rates is >95% 07:59:59 q+ 08:00:07 ...but only 50% of returning choose biometrics 08:00:37 ...and latency is hugely improved from 30s to 12s 08:01:04 gkok: do you know whether the returning users are on the same device? 08:01:13 q+ 08:01:50 q+ 08:01:50 evan_jacobs: we are looking at improving the that 08:02:16 gkok: is the authentication improvement matched in authorisation rate 08:02:22 evan_jacobs: no 08:02:24 q- 08:02:58 aidanfoley: we have pilot running with an issuer currently, where authorisation rate is better 08:03:10 SameerT: this looks like delegated authentication 08:04:29 do you have any analysis of comparisons between this authentication mode v authentication offered by the issuer? 08:05:52 q+ 08:06:12 q+ 08:07:04 sameer: what happens if the enrolment fails? Does the merchant lose the transaction? 08:07:26 aidanfoley: the enrolment happens _after_ a successful transaction 08:07:40 ack SameerT 08:07:49 q+ 08:07:52 ack nick_s 08:08:10 nakjo_shishkov has joined #wpwg 08:08:11 nick_s: is enrolment per psp? 08:08:22 ...i.e. it's only for Stripe 08:08:25 aidanfoley: yes 08:08:56 Melissa_VS has joined #wpwg 08:10:02 q- 08:10:07 nick_s: I'm worried about this as a barrier for new PSPs 08:10:17 q+ 08:10:34 ...it would be nice to see this shared across PSPs 08:10:36 q? 08:11:13 sami has joined #wpwg 08:11:59 fahad: could you get better times via the issuer? 08:12:16 q+ 08:12:25 aidanfoley: we continue to look at this 08:12:28 q? 08:12:35 ack fahad 08:12:40 ack Gerhard_ 08:12:55 Gerhard_: who has liability? are you sending the binding? 08:13:16 aidanfoley: Stripe are currently taking the liability with the delegated authentication flag set 08:13:52 ...and we continue to learn from it 08:14:30 evan_jacobs: we are getting less fraud with this than "vanilla" 3DS but we are cautious about that 08:14:37 aidanfoley: we are only 90 days in 08:15:17 evan_jacobs: we are also seeing higher success with webauth rather than SPC which we don't understand 08:15:41 tomasz: did you try to run this as SPC directly 08:16:36 q? 08:16:36 aidanfoley: we do have this. The drop off is happening on the "OS prompt". 08:17:17 tomasz: are you running this across platforms 08:17:32 q+ 08:17:34 aidanfoley: yes, but when we launched on android then the drop off was big 08:17:41 tomasz: do you know why? 08:18:06 aidanfoley: no. 08:18:43 evan_jacobs: to conclude - we continue to experiment, with much more UX research, and how to get more issuers involved 08:18:47 q? 08:18:51 ack tomasz 08:18:51 q- 08:22:02 q+ 08:22:17 TEngland has joined #wpwg 08:22:36 Zakim: nicktr: thanks aidanfoley, evan_jacobs 08:22:56 nicktr: I think new PSPs have plenty of challenges! 08:23:50 q? 08:24:16 nick_s: yes, but we should not put in improvements that clearly favour larger PSPs 08:24:21 topic: Visa update 08:24:57 q- 08:25:02 ack nick_s 08:25:06 ack nicktr 08:25:22 doug_F: presents slides 08:26:02 ...Visa has been focussing on the use case of merchant initiated SPC where the issuer is the relying party 08:26:13 ...we have been conducting to pilots 08:26:22 ...both have 3ds architectures 08:26:49 ...phase 1 - friends and family 08:27:00 ...phase 2 - limited BIN range 08:27:42 ...the pilot is using 3DS 2.3.1.1 (the very latest specification) 08:28:40 08:29:12 ...the SPC assertion is passed in via a second AReq 08:29:38 ...the second pilot is using 2.2 with an extension with Modirum 08:30:29 ...both bringing reassurance about backward compatibility and a check in the latest spec 08:31:26 doug_F: we wanted to provide feedback on UI and to investigate SPC v other authentication 08:31:57 ...we also wanted to to look at fallback to 3DS if the user hits cancel or other failure states 08:33:23 ... we found that users need more context and explanation of the value proposition 08:33:45 ...many participants struggled to understand what they were being asked to do and why 08:34:11 ...and in particular didn't understand that the credentials were specific to the browser 08:35:16 doug_F: we found that the passkey dialogue box caused confusion (we saw one user trying to write things down) 08:37:17 ...we found that users tried to "touch" the fingerprint image on the SPC dialogue 08:37:34 ...there was a lot of difference between OS 08:38:06 ...with better results in MacOS than in Windows 08:39:12 q+ to talk about windows hello experience 08:39:42 ...windows dialogues seemed to cause more problems 08:39:50 q+ to ask about user.name/user.displayName as what looks like an id 08:40:47 doug_F: cancel did not test well 08:41:05 ...but sentiment towards biometrics was generally positive 08:41:28 q+ 08:41:31 ...3DS tested well - but European users in particular are very familiar 08:42:20 ...inconsistency across OS and devices and browsers is a real challenge 08:42:20 ...VIS recommesa iterative content and interaction design work 08:42:51 doug_F: comapres SPC v OTP 08:43:15 s/comapres/compares/ 08:43:24 ...SPC is faster! 08:44:47 doug_F: shows demo and points out additional browser screen to prevent timing attack but which adds friction 08:44:52 q? 08:45:16 ack smcgruer_[EST] 08:45:16 smcgruer_[EST], you wanted to ask about user.name/user.displayName as what looks like an id 08:45:34 q+ 08:46:16 smcgruer_[EST]: if might be easier to add card name in the display name fields 08:46:48 doug_F: behaviour is different between browsers 08:47:27 Soumya has joined #wpwg 08:47:46 smcgruer_[EST]: on the no matching credentials dialogue, is this a different device issue? 08:47:50 doug_F: yes 08:48:32 Gerhard_: chrome and safari uses different data fields in webauthn 08:49:19 Gerhard_: 3DS tests better but users are more familiar - do you think it's this familiarity is driving the better result? 08:49:46 doug_F: I think it's both familiarity and maturity - we have done so much testing of 3DS 08:49:48 q? 08:49:54 ack Gerhard_ 08:50:19 q+ 08:50:20 q+ to also ask about merchant-triggered vs acs-triggered 08:50:48 q+ later 08:50:52 q- 08:51:24 ack tomasz 08:51:43 Dingwei has joined #wpwg 08:52:02 tomasz: points out window hello uses the receiving party ID 08:52:32 q+ 08:52:34 smcgruer_[EST]: webauthn community pushed back on using receiving party name 08:52:44 ...but might now be different 08:52:53 ...it's very confusing for the user 08:53:13 ...most users don't know who the PSP is (even Stripe) 08:53:44 q+ for Imran/Nakjo - how will the fallback work on merchant initiated flow when the intermittent user activation screen is removed 08:53:48 aidanfoley: users just know where they are shopping - the merchant name 08:54:07 q- 08:54:15 ack rbyers 08:54:19 s/receiving/relying 08:54:33 rbyers: did you test webauthn v SPC like Stripe? 08:55:41 doug_F: we looked at webauthn as a fallback 08:55:46 q? 08:55:48 q- 08:56:15 q? 08:57:04 q? 08:57:59 q+ 08:58:13 gkok: suggests improvement to flow (didn't catch detail) 08:58:35 dougF: we didn't try that 08:59:19 suggests improvement to flow by replacing the "cancel" button by something like "verify through other means" 08:59:21 ack SameerT 08:59:21 SameerT, you wanted to discuss Imran/Nakjo - how will the fallback work on merchant initiated flow when the intermittent user activation screen is removed 08:59:34 ack gkok 09:00:34 tomasz: have you compared SPC v mobile authentication for 3DS 09:00:50 dougF: yes, and we could demo that 09:01:55 imran_ahmed presents modirum findings from SPC 09:02:56 09:04:04 imran: transient user activation is required - we have implemented a dual authentication option but this is removed in Chrome v118 09:04:37 imran: flow when a new device is present is two additional clicks 09:05:07 imran: user ID is tied to "name" field, tied to user not device 09:05:24 ...windows shows on registration and authentication 09:05:37 ...but Android and MacOS shows only on registration 09:05:59 ...possibly alternatives: PAN, masked PAN, or user chosen name 09:07:34 ...SPC credential is unique ID - user ID + RP ID _ device platform authenticator 09:08:02 ...case 1: browsers not sharing SPC credentials (except Android) 09:08:20 ...case 2: Windows11 passkey synching 09:08:38 ...but SPC credentials are not shared 09:08:57 q+ 09:09:06 ...registration on new device fails - platform authenticator reports credentials already exists 09:09:14 ack tomasz 09:10:02 imran: future considerations - biometrics clearly very important in SPC 09:10:09 Peter has joined #wpwg 09:10:41 ...would be good to see issuer and scheme lgogs on SPC UI 09:10:48 Bastien has joined #WPWG 09:10:52 Adam_ has joined #wpwg 09:12:04 ...would like to understand effect on public key extensions and also role of roaming authenticators 09:12:49 Gerhard_: points out difference between "trust this device" or "trust this browser" 09:13:33 smcgruer_[EST]: webauthn is "trust this platform" 09:16:02 FedID CG meeting next: https://github.com/fedidcg/meetings/blob/main/2023/2023-09-11-TPAC-agenda.md 09:16:07 Evan_Jacobs has joined #wpwg 09:16:09 rwatkins-ma has joined #wpwg 09:16:42 Kavya has joined #wpwg 09:16:48 break for coffee 09:17:37 JAYADEVI has joined #wpwg 09:17:47 zoom link: https://w3c.zoom.us/j/9020046588?pwd=TlFQODcrdEZhajBjODI0bm91N2pYQT09 09:30:50 nick_s has joined #wpwg 09:36:42 benoit_ has joined #wpwg 10:21:51 helen has joined #wpwg 10:27:32 benoit_ has joined #wpwg 10:36:11 Melissa_VS has joined #wpwg 10:37:34 nick_s has joined #wpwg 10:38:09 Adam_ has joined #wpwg 10:38:32 topic: Update on SPC with passkeys 10:38:45 I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr 10:39:09 benoit_ has joined #wpwg 10:39:13 Bastien has joined #WPWG 10:39:18 SameerT_ has joined #wpwg 10:42:06 Dingwei has joined #wpwg 10:43:20 q? 10:43:31 queue= 10:45:48 fahad has joined #wpwg 10:48:05 present+ 10:48:10 present+ 10:48:11 present+ 10:48:13 present+ 10:48:13 present+ 10:48:15 present+ 10:48:16 TEngland has joined #wpwg 10:48:16 Gerhard has joined #wpwg 10:48:16 present+ 10:48:18 present+ 10:48:18 present+ 10:48:18 present+ 10:48:21 present+ 10:48:32 HelenQin has joined #wpwg 10:48:33 Tabitha has joined #wpwg 10:48:36 Soumya has joined #wpwg 10:48:36 present+ 10:48:37 Peter_ has joined #wpwg 10:48:42 Nakjo_Shishkov has joined #wpwg 10:48:42 present+ 10:48:43 Evan_Jacobs has joined #wpwg 10:48:43 present+ 10:48:44 present+ 10:48:51 present+ 10:48:52 present+ 10:48:52 present+ 10:48:53 present+ 10:48:54 present+ 10:48:57 present+ 10:49:21 tomasz has joined #wpwg 10:49:24 present+ 10:49:26 Bastien_ has joined #WPWG 10:49:28 present+ 10:51:14 Imran has joined #wpwg 10:51:15 jonathan presents objectives slides: 10:51:22 1) reduce fraud and false declines 10:51:27 present 10:51:27 2) reduce friction 10:51:37 3) improve conversion 10:52:49 jonathan: identfies use cases for passkey and cards 10:53:00 ...issuer is the relying party 10:53:14 ...merchant/PSP/wallet is the relying party 10:54:30 ...(authentication ultimately passed to issuer via scheme specific mechanism 10:54:34 gkok has joined #Wpwg 10:54:55 ...lastly, where mastercard is the relying party 10:55:10 gkok has left #wpwg 10:55:21 gkok has joined #wpwg 10:55:34 gkok has left #wpwg 10:55:47 gkok has joined #wpwg 10:55:52 ...which has advantages in terms of consumer familiarity with the mastercard brand 10:56:14 jonathan: what does SPC bring over webauthn? 10:56:41 ...1) only prompt when there is an authentication credential on the device 10:57:00 2) x-origin authentication 10:57:08 2) dynamic linking 10:57:16 JMGirard has joined #wpwg 10:57:22 s/2) dynamic/3) dynamic/ 10:57:33 4) consistency and secure display 10:58:20 jonathan: secure display includes "sign what you see" 10:59:23 smcgruer_[EST]: with SPC there are additional fields in the challenge result (you could do it with webauthn but it's explicit in SPC) 10:59:31 q+ 10:59:50 ack nick_s 11:00:45 nick_s: we need to stop SPC allowing discovery of whether biometry is enabled 11:00:57 smcgruer_[EST]: agreed - we need to improve the UX 11:01:31 jonathan: if there is no credential, is there no dialogue? 11:01:51 smcgruer_[EST]: no, there is always a dialogue, but the fallback UI is not good 11:02:41 Q+ 11:03:10 ...FedCM is trying to do this with a complicated timing screen which does not have consensus across the browser vendors 11:06:02 Sami has joined #wpwg 11:06:21 gkok: could issuers learn what kind of verification has occurred 11:06:46 smcgruer_[EST]: not at the moment - it would definitely be a topic for discussion with webauthn wg tomorrow 11:07:40 rakesh: what kind of support are we seeing from issuers? 11:08:07 SameerT_: login is an easy use case for issuers as it's a first party context 11:08:28 SameerT_: but enrolment is more difficult and payment another step beyond that 11:09:19 gerard: iframes lack permissions, fallback in web versus apps 11:09:36 ...and the lack of consistency causes friction 11:09:57 s/gerard: iframes/Gerhard : iframes/ 11:10:35 jonathan: shows example flow with passkey 11:10:46 present+: jonathan_grossar 11:11:22 ...(registration during checkout) 11:12:26 ...(returning user) 11:12:49 ...showing difference between vanilla webauthn and SPC 11:13:23 jonathan: introduction of passkeys brings two new challenges 11:14:06 ...1) passkeys don't have an attestation to allow validation 11:15:09 ...2) passkeys are synchronised across devices. some implementations don't allow the RP to work out which device the user is on 11:15:45 q+ to ask about attestation 11:15:50 ack gkok 11:16:43 q+ 11:17:16 Gkok has joined #Wpwg 11:17:19 Peter has joined #wpwg 11:17:26 +q 11:18:34 ack nicktr 11:18:34 nicktr, you wanted to ask about attestation 11:18:58 nicktr: did we lose attestation when passkey was introduced? 11:19:26 jonathan: no, it's only option in webauthn 11:19:53 nick_s: can you say more about why it's difficult for SCA 11:21:09 jonathan: the lack of information about how the user possession is validated 11:21:58 ack Gkok 11:22:01 ack nick_s 11:23:44 gkok: understanding where the liability sits is critical 11:24:09 q? 11:24:52 q+ to observe that the schemes have made the liability situations clear in the past (for example with the introduction of 3DS) 11:25:13 ack nicktr 11:25:13 nicktr, you wanted to observe that the schemes have made the liability situations clear in the past (for example with the introduction of 3DS) 11:27:12 Sami has joined #wpwg 11:27:36 nicktr: the ecosystem works best when everyone understands where the risk is sitting so ideally we would "paint" the transaction with all the information that would be necessary 11:27:54 q? 11:28:01 jonathan: (shows degraded UX) 11:28:11 q+ 11:28:20 q+ 11:28:50 smcgruer_[EST]: it sounds like in a 1P context, webauthn works 11:29:09 ...in a 3P context, would an iframe suffice? 11:29:43 ...in other words, should we just make webauthn work better in iframes? 11:30:03 jonathan: we would prefer not to have to open iframes 11:31:15 jonathan: (shows potential use case of using SPC to access their account e.g. click to pay) 11:31:25 ack smcgruer_[EST] 11:32:01 ...which would require changes to prompt and also removal of "total" field 11:32:13 ack nick_s 11:32:30 nick_s: don't cookies have the same problem? Cookies can be back up 11:32:42 s/back up/backed up/ 11:33:56 nick_s: it sounds like what we really want is a way of uniquely identifying that the device that was enrolled is the one presenting the credential 11:35:28 smcgruer_[EST]: is cookie theft in your threat model, payment folks? 11:36:00 rakesh: it certainly informs our thinking 11:36:32 nick_s: sounds like there is other data that we could use 11:38:37 I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr 11:39:01 Gerhard: may I remind you that there is a world outside Europe and we need to find that balance 11:39:15 break for lunch 11:45:26 benoit_ has joined #wpwg 11:46:23 benoit_ has joined #wpwg 12:14:17 bryanluo has joined #wpwg 12:27:32 Adam_ has joined #wpwg 12:27:55 bryanluo has joined #wpwg 12:29:47 bryanluo_ has joined #wpwg 12:33:26 benoit_ has joined #wpwg 12:33:42 nick_s has joined #wpwg 12:33:54 westin has joined #wpwg 12:34:10 SameerT has joined #wpwg 12:35:47 bryanluo has joined #wpwg 12:36:50 Gkok has joined #wpwg 12:38:10 present+ Rouslan 12:38:10 fahad has joined #wpwg 12:38:10 topic: netcetera demos 12:39:15 bryanluo_ has joined #wpwg 12:39:15 present+ nakjo_shishkov 12:39:15 zakim, who is here? 12:39:15 Present: Arman, benoit, canton, Stephen_McGruer, Helen_Qin, Rick_Byers, evan_jacobs, Dingwei_, bryanluo, gkok, nick_s, fahad, Melissa_VS, JeanLuc, rwatkins-ma, westin, kenneth, 12:39:15 ... SameerT_, Adam_, Gerhard, HelenQin, Dingwei, Tabitha, hari, Nakjo_Shishkov, Peter_, TEngland, Soumya, sioked, tomasz, Bastien_, :, jonathan_grossar, Rouslan 12:39:15 On IRC I see bryanluo_, fahad, Gkok, bryanluo, SameerT, westin, nick_s, benoit_, Adam_, JMGirard, SameerT_, Melissa_VS, helen, Kavya, bkardell_, bfeigel, benoit, kenneth, JeanLuc, 12:39:15 ... RRSAgent, Zakim, hari, tminamii, pea1358, canton, rouslan, dlehn, nelsoncwwu, TimCappalli, imlostlmao, npd, Github, hober, Dongwoo, smcgruer_[EST], nicktr, wanderview, 12:39:15 ... hadleybeeman, ljharb, tobie, rbyers, slightlyoff, Ian, weiler 12:39:15 Gerhard has joined #wpwg 12:39:15 martin_a has joined #wpwg 12:39:48 present+ martin_alvarez 12:39:48 nakjo: our demo ran on v2.3.1.1, with a participating issuer and and participating merchant 12:39:48 evan_jacobs has joined #wpwg 12:40:52 bryanluo_ has joined #wpwg 12:40:52 Tony_E has joined #wpwg 12:41:01 sioked has joined #wpwg 12:41:04 (shows demo store in a preview environment) 12:41:43 I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr 12:41:44 tomasz has joined #wpwg 12:43:28 (shows non-happy path, the requestor doesn't support SPC) 12:43:31 Jayadevi has joined #wpwg 12:44:11 Soumya has joined #wpwg 12:44:11 bryanluo has joined #wpwg 12:44:11 q+ 12:44:30 q+ 12:45:02 rwatkins-ma has joined #wpwg 12:45:16 SameerT: in merchant initiated flow, there's no iframe - there's no issuer messaging 12:45:20 Sami has joined #wpwg 12:45:41 ...but in the second flow, the issuer has rendered an iframe. Just wanted to highlight that 12:45:50 ack SameerT 12:45:51 Gkok has joined #Wpwg 12:45:52 Q+ 12:47:24 martin_a has left #wpwg 12:47:24 Bastien has joined #WPWG 12:47:27 fahad: who makes the "show credential" the call? 12:48:16 nakjo: in the merchant initiated page, it's the merchant. In the non-spc flow, it's the issuer) 12:48:20 Gkok: 12:48:50 ack Gkok 12:48:53 ack fahad 12:49:26 nakjo: (shows the fail flow - hits cancel) 12:49:56 (defaults to out of band authentication) 12:53:01 Tabitha has joined #wpwg 12:53:22 present+ 12:56:03 present+ 12:56:03 Q+ 12:56:25 q+ 12:57:02 Q- 12:57:06 q+ 12:57:07 q+ to ask about `"showOptOut": true` on the code snippet slide. Is there a use case for it? Is that useful? 12:57:29 nakjo: shows mismatch between 3DS and SPC spec (3DS spec has Relying party ID, credential pairs, SPC has one RP ID and multiple credentials) 12:57:42 ...(shows unregister UI) 12:57:51 Q+ 12:58:32 ...I don't know whether there is a maximum number of credentials 12:59:14 smcgruer_[EST]: I think the 3DS/SPC mismatch fix is relatively fixable 13:00:10 q- 13:00:48 ...with regard to the opt out, the intent of the Chrome implementation, we suggest that the opt out link takes the user to somewhere where they can manage the credentials that the caller has issued 13:01:25 dougF: in the third-party model, the issuer needs to be able to invoke this 13:01:44 smcgruer_[EST]: I think we assumed the issuer and merchant would have to talk. 13:02:05 alakatos has joined #wpwg 13:02:27 ...the link is not a "weblink" - it causes the authentication to fail with an error conditions 13:02:44 ..."opt out error" 13:03:00 q? 13:03:07 ack smcgruer_[EST] 13:04:11 smcgruer_[EST]: is this opt out still important? 13:04:11 nakjo: yes, deregistration is still important 13:04:54 ack Gerhard 13:05:03 imran has joined #wpwg 13:05:22 Gerhard: would it be possible for a directory server to add its RPID ? 13:06:22 nakjo: yes, technically you could do this, but I don't know what would happen on the ACS? 13:08:12 gerhard: what happens with multiple credentials? 13:08:27 smcgruer_[EST]: we would only show credentials that could be used? 13:08:45 q? 13:10:57 Gkok: it's not clear how we would prioritise which one to use if there were more than one 13:12:04 ...and I'd suggest that the opt out resulted in a signed request to remove the credential 13:13:10 nakjo: (demos flow when SPC is not supported by requestor or in iframe) 13:13:44 nakjo: here we fall back to webauthn in a new window with access in a 1P context 13:14:15 q+ to talk about popups with WebAuthn and SPC 13:14:41 ack Gkok 13:15:04 nakjo: the sandbox attribute means that this doesn't work 13:15:18 ack rouslan 13:15:18 rouslan, you wanted to talk about popups with WebAuthn and SPC 13:15:35 Q+ 13:16:17 wanderview has left #wpwg 13:16:30 q? 13:16:45 q+ 13:16:54 nakjo: we're talking about a back up of a back up here 13:17:01 ack Gkok 13:18:39 gkok: could we just default SPC on in iframes? 13:18:42 smcgruer_[EST]: no 13:18:52 q- 13:19:10 dougF: but SPC is now in the requirements of 3DS including the browser settings 13:19:15 q? 13:20:02 nakjo: many corporate managed computers and phones restrict platform authenticators including windows hello 13:20:27 ...and platform authenticator is not available in private/incognito mode 13:21:16 topic: netcetera demo of SPC on Android with custom tabs 13:21:56 q? 13:22:05 (shows passkey registration and authentication flows) 13:23:16 nakjo: purpose of this investigation was to see if we could do SPC from a native app - or at least as close to native as possible 13:24:18 ...we had a native application that contained the checkout experience and moved the SPC challenge "next to" the native app via a web landing page 13:24:29 q+ 13:25:07 q- 13:25:22 ...we had several failed attempts - webview failed so we tried custom tabs 13:25:45 (shows demo app) 13:26:49 q+ 13:29:13 q? 13:29:49 q+ 13:29:55 q+ 13:29:56 nakjo: shows it's possible to deliver SPC experience in a custom tabs 13:30:26 nick_s: what's the benefit of relying on SPC v the bank's app 13:30:42 ack nick_s 13:31:05 Gerhard: not all banks have a native app 13:31:20 Gkok__ has joined #Wpwg 13:31:22 ...and consumers get lost moving between apps 13:31:31 ...3DS 2.3.1 addresses some of that 13:31:38 ack tomasz 13:32:38 can you explain the communication between the custom tab and the native app? 13:33:14 Gkok___ has joined #Wpwg 13:33:31 Q+ 13:33:36 nakjo: we use a specific redirect URL and a link listener in the native app (which then checks the status) 13:33:38 q? 13:34:11 ac SameerT 13:34:11 ack SameerT 13:34:12 SameerT: is this over 3DS? 13:34:21 nakjo: no, though it could be. 13:34:52 q? 13:36:15 ack Gkok___ 13:36:17 q+ 13:36:23 q- 13:37:14 q+ 13:37:18 nakjo: we can use custom tabs, but session handling, landing authentication page is tricky 13:37:38 ...error handling is also harder 13:37:50 ...and redirection to native app doesn't always work 13:38:16 ...also you may have to override the default browser 13:38:38 q- 13:38:46 ...ideas for improvement include message exchange or event listener 13:38:50 q? 13:39:31 Gkok___: I would love to see this working better if SPC in general picks up in popularity 13:39:58 ...is there a world where native apps could use SPC more easily? 13:40:33 smcgruer_[EST]: yes. We would love to make the workarounds unnecessary but we need to get the priority to do this work 13:41:09 Gerhard: it would be great to get "do SPC" added to the 3DS spec in the merchant app API 13:42:35 SameerT: I could possibly see this working for bigger merchant apps, where they may already be doing biometric authentication 13:43:13 Gerhard: doing this for each merchant app is a deployment nightmare 13:43:16 q? 13:43:59 topic: apple perspectives 13:44:16 nick_s: we are happy to be back 13:46:30 nick_s: we support payment request in MacOS, iOS, iPad and VisionPro (sp?) with authentication via iris 13:46:30 ...on SPC - we are potentially interested as a merchant and also in delegated authentication 13:47:11 ...it would be interesting to see SPC on other payment methods 13:48:04 nick_s: (for clarity, I work on ApplePay not webkit) 13:48:11 nick_s: we would love to see shipping and billing address back in payment request 13:48:14 ...we know there are challenges with I18n and privacy 13:50:20 nick_s: we are now supporting "advance fraud protection" for Visa cards which is a private connection between the device and ?scheme? (NickTR missed this endpoint) 13:50:40 ...we are interested in the receipt use case 13:50:42 q? 13:51:56 Gerhard: could that additional information be provided to the issuer? 13:51:56 q? 13:52:22 nick_s: I think we would be interested in investigating that as a standardised way of communicating it 13:52:47 gkok: what are the roadblocks for SPC? 13:53:18 ...I think there are clearly user experience and privacy issues to resolve 13:53:37 https://github.com/WebKit/standards-positions/issues/30 13:53:55 ...you can see Apple's positions here -> https://github.com/WebKit/standards-positions/issues/30positions on standards 13:54:17 q? 13:55:54 nick_s: if there is interest in using SPC in native apps, I think it would be interesting to explore how we could make this more seamless 13:56:52 joyce: could I have better control over my physical payments like I have on web payments? For example, the payment confirmation 13:57:25 nick_s: I would be delighted to talk to you about that - one limitation is the information that's available via the NFC interface 13:59:11 ...some of these payment standards are quite old 14:00:33 ...we have also recently introduced taking payments contactlessly via iphones and have made some accessibility improvements there 14:00:36 q? 14:01:30 FWIW Rick and Stephen had to jump for a meeting 4:00-4:30, but we're obviously very interested in this topic. Sorry for the conflict. 14:02:01 Gkok has joined #wpwg 14:02:15 Q+ 14:02:52 Adam_ has joined #wpwg 14:03:41 Sami: are we trying to define best practices for SPC implementations? 14:04:41 Gerhard: I think it would be great if we could come up with a framework for comparing SPC implementations 14:05:27 evan_jacobs: we have a lot of challenge talking to issuers because we often measure different metrics or see different results 14:06:30 sami: we see lots of different approaches 14:07:23 Gkok: I can see both issuer and scheme implementations working depending on scale of the issuer 14:07:38 ack Gkok 14:07:55 gkok: let me give a merchant perspective 14:08:22 ...we really need relying parties outside our PSPs 14:08:38 ...and in particular more issuers 14:09:11 ...there is interest from issuers but they're not getting consistent messaging and support and information 14:09:55 ...mobile browser is giving us the biggest headache for conversion 14:10:06 imran has joined #wpwg 14:10:11 ...and diagnosis is really hard 14:10:57 ...again, as a merchant, we need more "insurance". 14:11:16 alakatos has joined #wpwg 14:12:04 gkok: it's all about the value of the user - particular on the first transaction. I would give up liability shift on first transaction 14:12:27 evan_jacobs: is there interest in implementing SPC in non-SCA markets? 14:13:11 gkok: yes, if the performance uptick is worthwhile. It all comes down to the experience 14:13:11 q+ 14:13:31 evan_jacobs: I do wonder if there is an opportunity to do more with delegate authentication in the US market 14:14:08 nick_s: the optimist thinks that would be great. the pessimist (realist) looks at how hard Chip and PIN was in the US 14:14:36 ...I think you either need either regulation or a significant economic incentive 14:15:05 gkok: I agree. perhaps it also opens up new business models or payment methods - for example in open banking 14:16:22 evan_jacobs: some US issuers see authenticated transactions as inherently riskier than non-authenticated ones 14:16:25 q? 14:16:34 ack 14:16:36 ack nick_s 14:16:37 q? 14:17:03 solai has joined #wpwg 14:19:29 we break for coffee 14:19:45 I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr 14:22:09 benoit_ has joined #wpwg 14:25:40 bryanluo has joined #wpwg 15:00:28 benoit_ has joined #wpwg 15:00:35 yoav_ has joined #wpwg 15:02:18 bryanluo has joined #wpwg 15:04:02 Sami has joined #wpwg 15:04:07 benoit_ has joined #wpwg 15:04:19 rwatkins-ma has joined #wpwg 15:06:16 alakatos has joined #wpwg 15:06:39 nick_s has joined #wpwg 15:07:50 Tony_E has joined #wpwg 15:08:55 Topic: Breakouts and future topics 15:09:32 nicktr: please note that the restaurant that we have a booking at this evening is here -> https://goo.gl/maps/D5VdQDoMwdbKhDwe7 15:09:54 https://aderezotapas.es 15:10:35 It's the El Porvenir one (about 15 minute walk from the Melia hotel) 15:29:29 bryanluo has joined #wpwg 15:34:52 nick_s has joined #wpwg 15:39:02 nick_s has joined #wpwg 15:41:51 nick_s has joined #wpwg 15:44:44 bryanluo has joined #wpwg 15:54:04 nick_s has joined #wpwg 15:54:57 Group 1: Expanded payment use-cases 15:55:09 Two categories: Non Payment Use-cases and complex usecase 15:55:15 (Sami giving feedback) 15:55:25 Second one was a broad discussion 15:55:35 What should SPC have extra. 15:55:40 Use-cases:Accessing 15:55:44 * Accessing a wallet 15:55:59 ID&V / enroll passkey (SPC) after legacy ID&V 15:56:19 Can SPC fields be expanded for this? 15:56:25 Complex use-cases was more divers. 15:56:35 Payments + ID Data (e.g. age / location) 15:57:07 * MAke Autofill and SPC make smoother together (Can we trust this/ binding this on the browser) 15:57:21 * Recurring transactions (once a month/ initial + recurring, etc) 15:57:28 Conclusions: 15:57:51 * Bigger picture is important. SPC is being used is broader than the single part. 15:58:01 Merchant + Network + Issuer. 15:58:08 q? 15:58:53 Payment & ID and Autofill was where a lot of time around this? 15:59:35 Non Payment Auth has a ticket on it. 16:00:00 Group 2: Increasing trust and reducing friction 16:00:10 * Take lessons from FedCM 16:00:25 They offer more context to the customer so dialog can show list or narrow it down. 16:00:36 Also had a silent login option. 16:00:58 Could we enrich the API so the relying party could share more information 16:01:35 Next one was how we could add more browser data to the flow - influence on how the passkey/SPC asks for fingerprint. 16:02:01 Potentially a risk score or additional signals that the browser could provide. Also potentially prompts to share consent 16:02:11 Also potentialyl share biometric usage context (Still the same user) 16:02:19 A notification that credentials are being used. 16:02:28 imran has joined #wpwg 16:02:51 Also spoke about auto-enrollment? HOw could we do this, and what obstacles would be there. Create a credential without prompting? What would that take? 16:03:04 IF you want to authenticate then use this. 16:04:05 Context of the transaction such as pay/subscribe 16:04:18 (nakjo for group 2) 16:04:34 Group 3: INcrease trust and reduce friction: 16:04:56 First ensure consistent experience for user accross all OS and Devices 16:05:03 A couple of hops in that journey. 16:05:19 Marketing and branding the payment brands and logos. Improve that. 16:05:27 Experience enables consistency. 16:05:41 Eliminating unneccessary steps due to failed authentication. 16:06:04 Familiarity to uses in pop-ups. User names or something more memorable. 16:06:25 Enrollment scope and cross-device scoping. Should not be repeating this across various devices. 16:06:29 q? 16:06:48 Group 4 (Stephen) 16:07:05 Expanding use-cases to talk about SPC and non-payment flows and more complex payments. 16:07:16 Also spoke about alternate payment mechanisms. 16:07:27 Focused more on SPC UI. 16:07:39 Technically it's too restricture (Recurring, variable) 16:07:58 But you cannot do raw text in browsers? So how do you do that? FedCM has 4 enumerations. 16:08:13 Payments may be more complex? Did not come up with a clear answer. 16:08:43 How important is this to solve? Some are seeing issuers are not wanting to enable recurring payments - want to re-auth every time. 16:08:56 Alternative payment: UPI, Open Banking, PayNow, 16:09:20 (and PIX) Not all the same. Merchant is push payment. Open banking is submitting the context for them to charge. 16:09:40 Obvious flows here are browser to app and back. How would we enable that. 16:09:48 Did not really have a real solution here. 16:10:24 What about Intents? PIX folks did raise concern since unsure about who responds to intends. Also based on time available /speed. 16:10:42 Payment handler had ability to check signatures, so this can be solved. 16:10:48 Alex had a complex idea. 16:11:39 Action is to explore something - explore with RBI and Brazilian regulator. Also if SPC fits in there. Could you do everything in the browser. 16:13:12 COmment: Would be great to jump back from app to browser page that redirected back to that. 16:13:24 You should be able to solve this. 16:13:40 (comments from gerhard) 16:14:54 bryanluo has joined #wpwg 16:15:07 alakatos has joined #wpwg 16:15:29 evan_jacobs has joined #wpwg 16:15:37 Second point: Browser is trusted globally in the rest of the world. We can leverage that. Let the relying party indicate if he wants to trust the browser or not. 16:16:04 New restaurant for tonight. 16:16:57 https://www.irccloud.com/pastebin/7XcD3zIq/ 16:17:11 **Important** 16:17:11 16:17:11 Our restaurant booking has changed. 16:17:11 16:17:11 We are now heading to El Paseillo 16:17:12 16:17:12 https://elpaseillosevilla.com/ 16:17:12 16:17:13 map - it looks like a 25 minute walk from the Melia hotel, but it is in a nice area of the city centre near the cathedral with lots of bars. 16:17:13 16:17:13 We have a reservation for 20 people across three tables at 8:30pm local time. I will be in reception at 8pm to walk over there if you want to walk with me. 16:20:58 s/Sami: are we trying/????: are we trying/ 16:21:29 s/sami: we see lots/????: we see lots/ 16:21:40 end of day one 16:21:57 I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr 16:22:43 leaving. As of this point the attendees have been Arman, benoit, canton, Stephen_McGruer, Helen_Qin, Rick_Byers, evan_jacobs, Dingwei_, bryanluo, gkok, nick_s, fahad, Melissa_VS, 16:22:43 Zakim has left #wpwg 16:22:43 ... JeanLuc, rwatkins-ma, westin, kenneth, SameerT_, Adam_, Gerhard, HelenQin, Dingwei, Tabitha, hari, Nakjo_Shishkov, Peter_, TEngland, Soumya, sioked, tomasz, Bastien_, :, 16:22:43 ... jonathan_grossar, Rouslan, martin_alvarez, Sami 16:24:08 bryanluo has joined #wpwg 16:25:34 benoit has joined #wpwg 16:51:46 benoit_ has joined #wpwg 18:00:38 benoit has joined #wpwg 18:05:17 benoit_ has joined #wpwg 18:13:01 bryanluo has joined #wpwg 18:20:37 bryanluo has joined #wpwg 18:26:54 bryanluo has joined #wpwg 20:26:37 bryanluo has joined #wpwg 20:27:54 benoit has joined #wpwg 21:06:29 nick_s has joined #wpwg 21:27:18 bryanluo has joined #wpwg 21:32:47 benoit has joined #wpwg 21:34:40 benoit_ has joined #wpwg 21:43:16 benoit__ has joined #wpwg 21:47:13 benoit__ has joined #wpwg 22:11:27 benoit has joined #wpwg 22:46:02 bryanluo has joined #wpwg 23:36:55 benoit has joined #wpwg 23:56:38 bryanluo has joined #wpwg