IRC log of wpwg on 2023-09-11

Timestamps are in UTC.

07:26:59 [RRSAgent]

RRSAgent has joined #wpwg

07:27:03 [RRSAgent]

logging to https://www.w3.org/2023/09/11-wpwg-irc

07:27:05 [Gerhard_]

Gerhard_ has joined #wpwg

07:27:10 [nicktr]

Meeting: Web Payments WG

07:27:22 [nicktr]

Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2023

07:27:29 [nicktr]

Chair: Nick TR

07:27:47 [nicktr]

Scribe : nicktr, Gerhard_

07:28:01 [nicktr]

Scribe: nicktr, Gerhard_

07:33:02 [benoit]

benoit has joined #wpwg

07:33:25 [Arman]

Arman has joined #wpwg

07:33:36 [Gerhard_]

present+ Arman

07:33:45 [Gerhard_]

present+ benoit

07:34:23 [Gerhard_]

present+ canton

07:34:56 [smcgruer_[EST]]

present+ Stephen_McGruer

07:35:07 [smcgruer_[EST]]

present+ Helen_Qin

07:35:16 [smcgruer_[EST]]

present+ Rick_Byers

07:37:51 [Dingwei]

Dingwei has joined #wpwg

07:39:00 [tomasz]

tomasz has joined #wpwg

07:39:47 [Sami]

Sami has joined #Wpwg

07:39:55 [Sami]

Sami has left #wpwg

07:40:27 [JMGirard]

JMGirard has joined #wpwg

07:42:35 [nick_s]

nick_s has joined #wpwg

07:42:57 [gkok]

gkok has joined #wpwg

07:43:03 [SameerT]

SameerT has joined #wpwg

07:43:07 [westin]

westin has joined #wpwg

07:43:18 [solai]

solai has joined #wpwg

07:43:19 [aidanfoley]

aidanfoley has joined #wpwg

07:43:30 [sarahob]

sarahob has joined #wpwg

07:43:33 [jonathan]

jonathan has joined #wpwg

07:43:35 [HelenQin]

HelenQin has joined #wpwg

07:43:58 [JeanLuc]

JeanLuc has joined #WPWG

07:43:59 [OlivierMaas]

OlivierMaas has joined #wpwg

07:44:02 [Adam_]

Adam_ has joined #wpwg

07:44:37 [Gerhard_]

q+

07:44:39 [fahad]

fahad has joined #wpwg

07:44:42 [Peter_]

Peter_ has joined #wpwg

07:44:47 [Dingwei_]

Dingwei_ has joined #wpwg

07:45:00 [kenneth]

kenneth has joined #wpwg

07:45:16 [bryanluo]

bryanluo has joined #wpwg

07:45:31 [Bastien]

Bastien has joined #WPWG

07:45:34 [Vinoth]

Vinoth has joined #wpwg

07:45:35 [smcgruer_[EST]]

q+ to offer to scribe when I'm not talking

07:45:36 [smcgruer_[EST]]

q?

07:45:51 [benoit]

benoit has joined #wpwg

07:45:56 [bfeigel]

bfeigel has joined #wpwg

07:45:58 [Gerhard_]

q-

07:46:00 [nick_s]

q+

07:46:16 [nick_s]

q-

07:46:38 [sioked]

sioked has joined #wpwg

07:48:18 [Gerhard_]

20 for dinner tonight

07:48:39 [TEngland]

TEngland has joined #wpwg

07:48:59 [doug_F]

doug_F has joined #wpwg

07:49:26 [smcgruer_[EST]]

Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2023

07:49:42 [Gerhard_]

https://w3c.zoom.us/j/88600469011?pwd=SDhRRGhseXgyd1BCcUlBRHZWTEZ0UT09

07:49:46 [Gerhard_]

Meeting details

07:49:46 [Sami]

Sami has joined #wpwg

07:50:29 [nicktr]

zakim, who is here?

07:50:29 [Zakim]

Present: Arman, benoit, canton, Stephen_McGruer, Helen_Qin, Rick_Byers

07:50:31 [Zakim]

On IRC I see Sami, doug_F, TEngland, sioked, bfeigel, benoit, Vinoth, Bastien, bryanluo, kenneth, Dingwei_, Peter_, fahad, Adam_, OlivierMaas, JeanLuc, HelenQin, jonathan, sarahob,

07:50:31 [Zakim]

... aidanfoley, solai, westin, SameerT, gkok, nick_s, JMGirard, tomasz, Gerhard_, RRSAgent, Zakim, hari, tminamii, pea1358, canton, benoit_, rouslan, dlehn, nelsoncwwu,

07:50:35 [Zakim]

... TimCappalli, imlostlmao, npd, Github, hober, Dongwoo, smcgruer_[EST], nicktr, wanderview, hadleybeeman, ljharb, tobie, rbyers, slightlyoff, Ian, weiler

07:51:01 [Tabitha]

Tabitha has joined #wpwg

07:51:21 [nicktr]

present+ evan_jacobs

07:51:44 [nicktr]

topic: Stripe SPC update

07:52:18 [nicktr]

evan_jacobs: Regulation is driving friction in payments

07:52:30 [nicktr]

...particularly in 3DS

07:52:48 [nicktr]

...we have been looking at biometric authentication

07:53:11 [nicktr]

...we look to see if we have seen a device before

07:53:17 [Gerhard_]

q?

07:53:28 [nicktr]

...if new, we enrol via 3DS

07:53:59 [nicktr]

ack sm`

07:54:02 [nicktr]

ack smcgruer_[EST]

07:54:03 [Zakim]

smcgruer_[EST], you wanted to offer to scribe when I'm not talking

07:54:09 [Dingwei_]

present+

07:54:14 [aidanfoley]

Stephen is the expert here :-)

07:54:30 [nicktr]

evan_jacobs: shows flow

07:54:43 [bryanluo]

present+ bryanluo

07:55:06 [nicktr]

...shows SPC "opt in"

07:55:19 [Gerhard_]

q+

07:55:22 [nicktr]

q+

07:55:31 [gkok]

present+

07:55:56 [nicktr]

Gerhard_: I see you are using "biometrics" not "passkey"

07:56:07 [bkardell_]

bkardell_ has joined #wpwg

07:56:07 [nicktr]

...does that cause issues when biometrics are not available

07:57:04 [nicktr]

aidanfoley: we will be revisiting all of the UX but we went with biometrics as the cue that would provoke users the most

07:57:15 [nicktr]

ack Gerhard_

07:57:20 [nicktr]

q-

07:57:56 [nicktr]

evan_jacobs: shows returning user case

07:58:53 [nicktr]

...throughout the the user flow, opt out is available

07:59:16 [nicktr]

...turning to results. We are seeing a 7% improvement in authentication success

07:59:43 [nicktr]

...when returning users choose biometrics, success rates is >95%

07:59:59 [gkok]

q+

08:00:07 [nicktr]

...but only 50% of returning choose biometrics

08:00:37 [nicktr]

...and latency is hugely improved from 30s to 12s

08:01:04 [nicktr]

gkok: do you know whether the returning users are on the same device?

08:01:13 [SameerT]

q+

08:01:50 [nick_s]

q+

08:01:50 [nicktr]

evan_jacobs: we are looking at improving the that

08:02:16 [nicktr]

gkok: is the authentication improvement matched in authorisation rate

08:02:22 [nicktr]

evan_jacobs: no

08:02:24 [gkok]

q-

08:02:58 [nicktr]

aidanfoley: we have pilot running with an issuer currently, where authorisation rate is better

08:03:10 [nicktr]

SameerT: this looks like delegated authentication

08:04:29 [nicktr]

do you have any analysis of comparisons between this authentication mode v authentication offered by the issuer?

08:05:52 [fahad]

q+

08:06:12 [tomasz]

q+

08:07:04 [nicktr]

sameer: what happens if the enrolment fails? Does the merchant lose the transaction?

08:07:26 [nicktr]

aidanfoley: the enrolment happens _after_ a successful transaction

08:07:40 [nicktr]

ack SameerT

08:07:49 [Gerhard_]

q+

08:07:52 [nicktr]

ack nick_s

08:08:10 [nakjo_shishkov]

nakjo_shishkov has joined #wpwg

08:08:11 [nicktr]

nick_s: is enrolment per psp?

08:08:22 [nicktr]

...i.e. it's only for Stripe

08:08:25 [nicktr]

aidanfoley: yes

08:08:56 [Melissa_VS]

Melissa_VS has joined #wpwg

08:10:02 [tomasz]

q-

08:10:07 [nicktr]

nick_s: I'm worried about this as a barrier for new PSPs

08:10:17 [nicktr]

q+

08:10:34 [nicktr]

...it would be nice to see this shared across PSPs

08:10:36 [smcgruer_[EST]]

q?

08:11:13 [sami]

sami has joined #wpwg

08:11:59 [nicktr]

fahad: could you get better times via the issuer?

08:12:16 [tomasz]

q+

08:12:25 [nicktr]

aidanfoley: we continue to look at this

08:12:28 [nicktr]

q?

08:12:35 [nicktr]

ack fahad

08:12:40 [nicktr]

ack Gerhard_

08:12:55 [nicktr]

Gerhard_: who has liability? are you sending the binding?

08:13:16 [nicktr]

aidanfoley: Stripe are currently taking the liability with the delegated authentication flag set

08:13:52 [nicktr]

...and we continue to learn from it

08:14:30 [nicktr]

evan_jacobs: we are getting less fraud with this than "vanilla" 3DS but we are cautious about that

08:14:37 [nicktr]

aidanfoley: we are only 90 days in

08:15:17 [nicktr]

evan_jacobs: we are also seeing higher success with webauth rather than SPC which we don't understand

08:15:41 [nicktr]

tomasz: did you try to run this as SPC directly

08:16:36 [smcgruer_[EST]]

q?

08:16:36 [nicktr]

aidanfoley: we do have this. The drop off is happening on the "OS prompt".

08:17:17 [nicktr]

tomasz: are you running this across platforms

08:17:32 [smcgruer_[EST]]

q+

08:17:34 [nicktr]

aidanfoley: yes, but when we launched on android then the drop off was big

08:17:41 [nicktr]

tomasz: do you know why?

08:18:06 [nicktr]

aidanfoley: no.

08:18:43 [nicktr]

evan_jacobs: to conclude - we continue to experiment, with much more UX research, and how to get more issuers involved

08:18:47 [nicktr]

q?

08:18:51 [nicktr]

ack tomasz

08:18:51 [smcgruer_[EST]]

q-

08:22:02 [Gerhard_]

q+

08:22:17 [TEngland]

TEngland has joined #wpwg

08:22:36 [nicktr]

Zakim: nicktr: thanks aidanfoley, evan_jacobs

08:22:56 [nicktr]

nicktr: I think new PSPs have plenty of challenges!

08:23:50 [Gerhard_]

q?

08:24:16 [nicktr]

nick_s: yes, but we should not put in improvements that clearly favour larger PSPs

08:24:21 [nicktr]

topic: Visa update

08:24:57 [Gerhard_]

q-

08:25:02 [nicktr]

ack nick_s

08:25:06 [nicktr]

ack nicktr

08:25:22 [nicktr]

doug_F: presents slides

08:26:02 [nicktr]

...Visa has been focussing on the use case of merchant initiated SPC where the issuer is the relying party

08:26:13 [nicktr]

...we have been conducting to pilots

08:26:22 [nicktr]

...both have 3ds architectures

08:26:49 [nicktr]

...phase 1 - friends and family

08:27:00 [nicktr]

...phase 2 - limited BIN range

08:27:42 [nicktr]

...the pilot is using 3DS 2.3.1.1 (the very latest specification)

08:28:40 [nicktr]

<shows flow with AReq and ARes>

08:29:12 [nicktr]

...the SPC assertion is passed in via a second AReq

08:29:38 [nicktr]

...the second pilot is using 2.2 with an extension with Modirum

08:30:29 [nicktr]

...both bringing reassurance about backward compatibility and a check in the latest spec

08:31:26 [nicktr]

doug_F: we wanted to provide feedback on UI and to investigate SPC v other authentication

08:31:57 [nicktr]

...we also wanted to to look at fallback to 3DS if the user hits cancel or other failure states

08:33:23 [nicktr]

... we found that users need more context and explanation of the value proposition

08:33:45 [nicktr]

...many participants struggled to understand what they were being asked to do and why

08:34:11 [nicktr]

...and in particular didn't understand that the credentials were specific to the browser

08:35:16 [nicktr]

doug_F: we found that the passkey dialogue box caused confusion (we saw one user trying to write things down)

08:37:17 [nicktr]

...we found that users tried to "touch" the fingerprint image on the SPC dialogue

08:37:34 [nicktr]

...there was a lot of difference between OS

08:38:06 [nicktr]

...with better results in MacOS than in Windows

08:39:12 [nicktr]

q+ to talk about windows hello experience

08:39:42 [nicktr]

...windows dialogues seemed to cause more problems

08:39:50 [smcgruer_[EST]]

q+ to ask about user.name/user.displayName as what looks like an id

08:40:47 [nicktr]

doug_F: cancel did not test well

08:41:05 [nicktr]

...but sentiment towards biometrics was generally positive

08:41:28 [Gerhard_]

q+

08:41:31 [nicktr]

...3DS tested well - but European users in particular are very familiar

08:42:20 [nicktr]

...inconsistency across OS and devices and browsers is a real challenge

08:42:20 [nicktr]

...VIS recommesa iterative content and interaction design work

08:42:51 [nicktr]

doug_F: comapres SPC v OTP

08:43:15 [nicktr]

s/comapres/compares/

08:43:24 [nicktr]

...SPC is faster!

08:44:47 [nicktr]

doug_F: shows demo and points out additional browser screen to prevent timing attack but which adds friction

08:44:52 [nicktr]

q?

08:45:16 [nicktr]

ack smcgruer_[EST]

08:45:16 [Zakim]

smcgruer_[EST], you wanted to ask about user.name/user.displayName as what looks like an id

08:45:34 [tomasz]

q+

08:46:16 [nicktr]

smcgruer_[EST]: if might be easier to add card name in the display name fields

08:46:48 [nicktr]

doug_F: behaviour is different between browsers

08:47:27 [Soumya]

Soumya has joined #wpwg

08:47:46 [nicktr]

smcgruer_[EST]: on the no matching credentials dialogue, is this a different device issue?

08:47:50 [nicktr]

doug_F: yes

08:48:32 [nicktr]

Gerhard_: chrome and safari uses different data fields in webauthn

08:49:19 [nicktr]

Gerhard_: 3DS tests better but users are more familiar - do you think it's this familiarity is driving the better result?

08:49:46 [nicktr]

doug_F: I think it's both familiarity and maturity - we have done so much testing of 3DS

08:49:48 [tomasz]

q?

08:49:54 [nicktr]

ack Gerhard_

08:50:19 [rbyers]

q+

08:50:20 [smcgruer_[EST]]

q+ to also ask about merchant-triggered vs acs-triggered

08:50:48 [nicktr]

q+ later

08:50:52 [nicktr]

q-

08:51:24 [nicktr]

ack tomasz

08:51:43 [Dingwei]

Dingwei has joined #wpwg

08:52:02 [nicktr]

tomasz: points out window hello uses the receiving party ID

08:52:32 [gkok]

q+

08:52:34 [nicktr]

smcgruer_[EST]: webauthn community pushed back on using receiving party name

08:52:44 [nicktr]

...but might now be different

08:52:53 [nicktr]

...it's very confusing for the user

08:53:13 [nicktr]

...most users don't know who the PSP is (even Stripe)

08:53:44 [SameerT]

q+ for Imran/Nakjo - how will the fallback work on merchant initiated flow when the intermittent user activation screen is removed

08:53:48 [nicktr]

aidanfoley: users just know where they are shopping - the merchant name

08:54:07 [nicktr]

q-

08:54:15 [nicktr]

ack rbyers

08:54:19 [smcgruer_[EST]]

s/receiving/relying

08:54:33 [nicktr]

rbyers: did you test webauthn v SPC like Stripe?

08:55:41 [nicktr]

doug_F: we looked at webauthn as a fallback

08:55:46 [nicktr]

q?

08:55:48 [smcgruer_[EST]]

q-

08:56:15 [nicktr]

q?

08:57:04 [tomasz]

q?

08:57:59 [tomasz]

q+

08:58:13 [nicktr]

gkok: suggests improvement to flow (didn't catch detail)

08:58:35 [nicktr]

dougF: we didn't try that

08:59:19 [gkok]

suggests improvement to flow by replacing the "cancel" button by something like "verify through other means"

08:59:21 [nicktr]

ack SameerT

08:59:21 [Zakim]

SameerT, you wanted to discuss Imran/Nakjo - how will the fallback work on merchant initiated flow when the intermittent user activation screen is removed

08:59:34 [nicktr]

ack gkok

09:00:34 [nicktr]

tomasz: have you compared SPC v mobile authentication for 3DS

09:00:50 [nicktr]

dougF: yes, and we could demo that

09:01:55 [nicktr]

imran_ahmed presents modirum findings from SPC

09:02:56 [nicktr]

<summary slide>

09:04:04 [nicktr]

imran: transient user activation is required - we have implemented a dual authentication option but this is removed in Chrome v118

09:04:37 [nicktr]

imran: flow when a new device is present is two additional clicks

09:05:07 [nicktr]

imran: user ID is tied to "name" field, tied to user not device

09:05:24 [nicktr]

...windows shows on registration and authentication

09:05:37 [nicktr]

...but Android and MacOS shows only on registration

09:05:59 [nicktr]

...possibly alternatives: PAN, masked PAN, or user chosen name

09:07:34 [nicktr]

...SPC credential is unique ID - user ID + RP ID _ device platform authenticator

09:08:02 [nicktr]

...case 1: browsers not sharing SPC credentials (except Android)

09:08:20 [nicktr]

...case 2: Windows11 passkey synching

09:08:38 [nicktr]

...but SPC credentials are not shared

09:08:57 [Gerhard_]

q+

09:09:06 [nicktr]

...registration on new device fails - platform authenticator reports credentials already exists

09:09:14 [nicktr]

ack tomasz

09:10:02 [nicktr]

imran: future considerations - biometrics clearly very important in SPC

09:10:09 [Peter]

Peter has joined #wpwg

09:10:41 [nicktr]

...would be good to see issuer and scheme lgogs on SPC UI

09:10:48 [Bastien]

Bastien has joined #WPWG

09:10:52 [Adam_]

Adam_ has joined #wpwg

09:12:04 [nicktr]

...would like to understand effect on public key extensions and also role of roaming authenticators

09:12:49 [nicktr]

Gerhard_: points out difference between "trust this device" or "trust this browser"

09:13:33 [nicktr]

smcgruer_[EST]: webauthn is "trust this platform"

09:16:02 [rbyers]

FedID CG meeting next: https://github.com/fedidcg/meetings/blob/main/2023/2023-09-11-TPAC-agenda.md

09:16:07 [Evan_Jacobs]

Evan_Jacobs has joined #wpwg

09:16:09 [rwatkins-ma]

rwatkins-ma has joined #wpwg

09:16:42 [Kavya]

Kavya has joined #wpwg

09:16:48 [nicktr]

break for coffee

09:17:37 [JAYADEVI]

JAYADEVI has joined #wpwg

09:17:47 [rbyers]

zoom link: https://w3c.zoom.us/j/9020046588?pwd=TlFQODcrdEZhajBjODI0bm91N2pYQT09

09:30:50 [nick_s]

nick_s has joined #wpwg

09:36:42 [benoit_]

benoit_ has joined #wpwg

10:21:51 [helen]

helen has joined #wpwg

10:27:32 [benoit_]

benoit_ has joined #wpwg

10:36:11 [Melissa_VS]

Melissa_VS has joined #wpwg

10:37:34 [nick_s]

nick_s has joined #wpwg

10:38:09 [Adam_]

Adam_ has joined #wpwg

10:38:32 [nicktr]

topic: Update on SPC with passkeys

10:38:45 [RRSAgent]

I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr

10:39:09 [benoit_]

benoit_ has joined #wpwg

10:39:13 [Bastien]

Bastien has joined #WPWG

10:39:18 [SameerT_]

SameerT_ has joined #wpwg

10:42:06 [Dingwei]

Dingwei has joined #wpwg

10:43:20 [nicktr]

q?

10:43:31 [nicktr]

queue=

10:45:48 [fahad]

fahad has joined #wpwg

10:48:05 [nick_s]

present+

10:48:10 [fahad]

present+

10:48:11 [Melissa_VS]

present+

10:48:13 [JeanLuc]

present+

10:48:13 [rwatkins-ma]

present+

10:48:15 [westin]

present+

10:48:16 [TEngland]

TEngland has joined #wpwg

10:48:16 [Gerhard]

Gerhard has joined #wpwg

10:48:16 [kenneth]

present+

10:48:18 [SameerT_]

present+

10:48:18 [Adam_]

present+

10:48:18 [Gerhard]

present+

10:48:21 [benoit]

present+

10:48:32 [HelenQin]

HelenQin has joined #wpwg

10:48:33 [Tabitha]

Tabitha has joined #wpwg

10:48:36 [Soumya]

Soumya has joined #wpwg

10:48:36 [HelenQin]

present+

10:48:37 [Peter_]

Peter_ has joined #wpwg

10:48:42 [Nakjo_Shishkov]

Nakjo_Shishkov has joined #wpwg

10:48:42 [Dingwei]

present+

10:48:43 [Evan_Jacobs]

Evan_Jacobs has joined #wpwg

10:48:43 [Tabitha]

present+

10:48:44 [hari]

present+

10:48:51 [Nakjo_Shishkov]

present+

10:48:52 [Peter_]

present+

10:48:52 [TEngland]

present+

10:48:53 [Soumya]

present+

10:48:54 [Evan_Jacobs]

present+

10:48:57 [sioked]

present+

10:49:21 [tomasz]

tomasz has joined #wpwg

10:49:24 [tomasz]

present+

10:49:26 [Bastien_]

Bastien_ has joined #WPWG

10:49:28 [Bastien_]

present+

10:51:14 [Imran]

Imran has joined #wpwg

10:51:15 [nicktr]

jonathan presents objectives slides:

10:51:22 [nicktr]

1) reduce fraud and false declines

10:51:27 [Imran]

present

10:51:27 [nicktr]

2) reduce friction

10:51:37 [nicktr]

3) improve conversion

10:52:49 [nicktr]

jonathan: identfies use cases for passkey and cards

10:53:00 [nicktr]

...issuer is the relying party

10:53:14 [nicktr]

...merchant/PSP/wallet is the relying party

10:54:30 [nicktr]

...(authentication ultimately passed to issuer via scheme specific mechanism

10:54:34 [gkok]

gkok has joined #Wpwg

10:54:55 [nicktr]

...lastly, where mastercard is the relying party

10:55:10 [gkok]

gkok has left #wpwg

10:55:21 [gkok]

gkok has joined #wpwg

10:55:34 [gkok]

gkok has left #wpwg

10:55:47 [gkok]

gkok has joined #wpwg

10:55:52 [nicktr]

...which has advantages in terms of consumer familiarity with the mastercard brand

10:56:14 [nicktr]

jonathan: what does SPC bring over webauthn?

10:56:41 [nicktr]

...1) only prompt when there is an authentication credential on the device

10:57:00 [nicktr]

2) x-origin authentication

10:57:08 [nicktr]

2) dynamic linking

10:57:16 [JMGirard]

JMGirard has joined #wpwg

10:57:22 [nicktr]

s/2) dynamic/3) dynamic/

10:57:33 [nicktr]

4) consistency and secure display

10:58:20 [nicktr]

jonathan: secure display includes "sign what you see"

10:59:23 [nicktr]

smcgruer_[EST]: with SPC there are additional fields in the challenge result (you could do it with webauthn but it's explicit in SPC)

10:59:31 [nick_s]

q+

10:59:50 [nicktr]

ack nick_s

11:00:45 [nicktr]

nick_s: we need to stop SPC allowing discovery of whether biometry is enabled

11:00:57 [nicktr]

smcgruer_[EST]: agreed - we need to improve the UX

11:01:31 [nicktr]

jonathan: if there is no credential, is there no dialogue?

11:01:51 [nicktr]

smcgruer_[EST]: no, there is always a dialogue, but the fallback UI is not good

11:02:41 [gkok]

Q+

11:03:10 [nicktr]

...FedCM is trying to do this with a complicated timing screen which does not have consensus across the browser vendors

11:06:02 [Sami]

Sami has joined #wpwg

11:06:21 [nicktr]

gkok: could issuers learn what kind of verification has occurred

11:06:46 [nicktr]

smcgruer_[EST]: not at the moment - it would definitely be a topic for discussion with webauthn wg tomorrow

11:07:40 [nicktr]

rakesh: what kind of support are we seeing from issuers?

11:08:07 [nicktr]

SameerT_: login is an easy use case for issuers as it's a first party context

11:08:28 [nicktr]

SameerT_: but enrolment is more difficult and payment another step beyond that

11:09:19 [nicktr]

gerard: iframes lack permissions, fallback in web versus apps

11:09:36 [nicktr]

...and the lack of consistency causes friction

11:09:57 [nicktr]

s/gerard: iframes/Gerhard : iframes/

11:10:35 [nicktr]

jonathan: shows example flow with passkey

11:10:46 [nicktr]

present+: jonathan_grossar

11:11:22 [nicktr]

...(registration during checkout)

11:12:26 [nicktr]

...(returning user)

11:12:49 [nicktr]

...showing difference between vanilla webauthn and SPC

11:13:23 [nicktr]

jonathan: introduction of passkeys brings two new challenges

11:14:06 [nicktr]

...1) passkeys don't have an attestation to allow validation

11:15:09 [nicktr]

...2) passkeys are synchronised across devices. some implementations don't allow the RP to work out which device the user is on

11:15:45 [nicktr]

q+ to ask about attestation

11:15:50 [nicktr]

ack gkok

11:16:43 [nick_s]

q+

11:17:16 [Gkok]

Gkok has joined #Wpwg

11:17:19 [Peter]

Peter has joined #wpwg

11:17:26 [Gkok]

+q

11:18:34 [nicktr]

ack nicktr

11:18:34 [Zakim]

nicktr, you wanted to ask about attestation

11:18:58 [nicktr]

nicktr: did we lose attestation when passkey was introduced?

11:19:26 [nicktr]

jonathan: no, it's only option in webauthn

11:19:53 [nicktr]

nick_s: can you say more about why it's difficult for SCA

11:21:09 [nicktr]

jonathan: the lack of information about how the user possession is validated

11:21:58 [nicktr]

ack Gkok

11:22:01 [nicktr]

ack nick_s

11:23:44 [nicktr]

gkok: understanding where the liability sits is critical

11:24:09 [nicktr]

q?

11:24:52 [nicktr]

q+ to observe that the schemes have made the liability situations clear in the past (for example with the introduction of 3DS)

11:25:13 [nicktr]

ack nicktr

11:25:13 [Zakim]

nicktr, you wanted to observe that the schemes have made the liability situations clear in the past (for example with the introduction of 3DS)

11:27:12 [Sami]

Sami has joined #wpwg

11:27:36 [nicktr]

nicktr: the ecosystem works best when everyone understands where the risk is sitting so ideally we would "paint" the transaction with all the information that would be necessary

11:27:54 [smcgruer_[EST]]

q?

11:28:01 [nicktr]

jonathan: (shows degraded UX)

11:28:11 [smcgruer_[EST]]

q+

11:28:20 [nick_s]

q+

11:28:50 [nicktr]

smcgruer_[EST]: it sounds like in a 1P context, webauthn works

11:29:09 [nicktr]

...in a 3P context, would an iframe suffice?

11:29:43 [nicktr]

...in other words, should we just make webauthn work better in iframes?

11:30:03 [nicktr]

jonathan: we would prefer not to have to open iframes

11:31:15 [nicktr]

jonathan: (shows potential use case of using SPC to access their account e.g. click to pay)

11:31:25 [nicktr]

ack smcgruer_[EST]

11:32:01 [nicktr]

...which would require changes to prompt and also removal of "total" field

11:32:13 [nicktr]

ack nick_s

11:32:30 [nicktr]

nick_s: don't cookies have the same problem? Cookies can be back up

11:32:42 [nicktr]

s/back up/backed up/

11:33:56 [nicktr]

nick_s: it sounds like what we really want is a way of uniquely identifying that the device that was enrolled is the one presenting the credential

11:35:28 [nicktr]

smcgruer_[EST]: is cookie theft in your threat model, payment folks?

11:36:00 [nicktr]

rakesh: it certainly informs our thinking

11:36:32 [nicktr]

nick_s: sounds like there is other data that we could use

11:38:37 [RRSAgent]

I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr

11:39:01 [nicktr]

Gerhard: may I remind you that there is a world outside Europe and we need to find that balance

11:39:15 [nicktr]

break for lunch

11:45:26 [benoit_]

benoit_ has joined #wpwg

11:46:23 [benoit_]

benoit_ has joined #wpwg

12:14:17 [bryanluo]

bryanluo has joined #wpwg

12:27:32 [Adam_]

Adam_ has joined #wpwg

12:27:55 [bryanluo]

bryanluo has joined #wpwg

12:29:47 [bryanluo_]

bryanluo_ has joined #wpwg

12:33:26 [benoit_]

benoit_ has joined #wpwg

12:33:42 [nick_s]

nick_s has joined #wpwg

12:33:54 [westin]

westin has joined #wpwg

12:34:10 [SameerT]

SameerT has joined #wpwg

12:35:47 [bryanluo]

bryanluo has joined #wpwg

12:36:50 [Gkok]

Gkok has joined #wpwg

12:38:10 [rouslan]

present+ Rouslan

12:38:10 [fahad]

fahad has joined #wpwg

12:38:10 [nicktr]

topic: netcetera demos

12:39:15 [bryanluo_]

bryanluo_ has joined #wpwg

12:39:15 [nicktr]

present+ nakjo_shishkov

12:39:15 [nicktr]

zakim, who is here?

12:39:15 [Zakim]

Present: Arman, benoit, canton, Stephen_McGruer, Helen_Qin, Rick_Byers, evan_jacobs, Dingwei_, bryanluo, gkok, nick_s, fahad, Melissa_VS, JeanLuc, rwatkins-ma, westin, kenneth,

12:39:15 [Zakim]

... SameerT_, Adam_, Gerhard, HelenQin, Dingwei, Tabitha, hari, Nakjo_Shishkov, Peter_, TEngland, Soumya, sioked, tomasz, Bastien_, :, jonathan_grossar, Rouslan

12:39:15 [Zakim]

On IRC I see bryanluo_, fahad, Gkok, bryanluo, SameerT, westin, nick_s, benoit_, Adam_, JMGirard, SameerT_, Melissa_VS, helen, Kavya, bkardell_, bfeigel, benoit, kenneth, JeanLuc,

12:39:15 [Zakim]

... RRSAgent, Zakim, hari, tminamii, pea1358, canton, rouslan, dlehn, nelsoncwwu, TimCappalli, imlostlmao, npd, Github, hober, Dongwoo, smcgruer_[EST], nicktr, wanderview,

12:39:15 [Zakim]

... hadleybeeman, ljharb, tobie, rbyers, slightlyoff, Ian, weiler

12:39:15 [Gerhard]

Gerhard has joined #wpwg

12:39:15 [martin_a]

martin_a has joined #wpwg

12:39:48 [martin_a]

present+ martin_alvarez

12:39:48 [nicktr]

nakjo: our demo ran on v2.3.1.1, with a participating issuer and and participating merchant

12:39:48 [evan_jacobs]

evan_jacobs has joined #wpwg

12:40:52 [bryanluo_]

bryanluo_ has joined #wpwg

12:40:52 [Tony_E]

Tony_E has joined #wpwg

12:41:01 [sioked]

sioked has joined #wpwg

12:41:04 [nicktr]

(shows demo store in a preview environment)

12:41:43 [RRSAgent]

I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr

12:41:44 [tomasz]

tomasz has joined #wpwg

12:43:28 [nicktr]

(shows non-happy path, the requestor doesn't support SPC)

12:43:31 [Jayadevi]

Jayadevi has joined #wpwg

12:44:11 [Soumya]

Soumya has joined #wpwg

12:44:11 [bryanluo]

bryanluo has joined #wpwg

12:44:11 [SameerT]

q+

12:44:30 [fahad]

q+

12:45:02 [rwatkins-ma]

rwatkins-ma has joined #wpwg

12:45:16 [nicktr]

SameerT: in merchant initiated flow, there's no iframe - there's no issuer messaging

12:45:20 [Sami]

Sami has joined #wpwg

12:45:41 [nicktr]

...but in the second flow, the issuer has rendered an iframe. Just wanted to highlight that

12:45:50 [nicktr]

ack SameerT

12:45:51 [Gkok]

Gkok has joined #Wpwg

12:45:52 [Gkok]

Q+

12:47:24 [martin_a]

martin_a has left #wpwg

12:47:24 [Bastien]

Bastien has joined #WPWG

12:47:27 [nicktr]

fahad: who makes the "show credential" the call?

12:48:16 [nicktr]

nakjo: in the merchant initiated page, it's the merchant. In the non-spc flow, it's the issuer)

12:48:20 [nicktr]

Gkok:

12:48:50 [nicktr]

ack Gkok

12:48:53 [nicktr]

ack fahad

12:49:26 [nicktr]

nakjo: (shows the fail flow - hits cancel)

12:49:56 [nicktr]

(defaults to out of band authentication)

12:53:01 [Tabitha]

Tabitha has joined #wpwg

12:53:22 [Tabitha]

present+

12:56:03 [Sami]

present+

12:56:03 [Gkok]

Q+

12:56:25 [smcgruer_[EST]]

q+

12:57:02 [Gkok]

Q-

12:57:06 [Gerhard]

q+

12:57:07 [rouslan]

q+ to ask about `"showOptOut": true` on the code snippet slide. Is there a use case for it? Is that useful?

12:57:29 [nicktr]

nakjo: shows mismatch between 3DS and SPC spec (3DS spec has Relying party ID, credential pairs, SPC has one RP ID and multiple credentials)

12:57:42 [nicktr]

...(shows unregister UI)

12:57:51 [Gkok]

Q+

12:58:32 [nicktr]

...I don't know whether there is a maximum number of credentials

12:59:14 [nicktr]

smcgruer_[EST]: I think the 3DS/SPC mismatch fix is relatively fixable

13:00:10 [rouslan]

q-

13:00:48 [nicktr]

...with regard to the opt out, the intent of the Chrome implementation, we suggest that the opt out link takes the user to somewhere where they can manage the credentials that the caller has issued

13:01:25 [nicktr]

dougF: in the third-party model, the issuer needs to be able to invoke this

13:01:44 [nicktr]

smcgruer_[EST]: I think we assumed the issuer and merchant would have to talk.

13:02:05 [alakatos]

alakatos has joined #wpwg

13:02:27 [nicktr]

...the link is not a "weblink" - it causes the authentication to fail with an error conditions

13:02:44 [nicktr]

..."opt out error"

13:03:00 [nicktr]

q?

13:03:07 [nicktr]

ack smcgruer_[EST]

13:04:11 [nicktr]

smcgruer_[EST]: is this opt out still important?

13:04:11 [nicktr]

nakjo: yes, deregistration is still important

13:04:54 [nicktr]

ack Gerhard

13:05:03 [imran]

imran has joined #wpwg

13:05:22 [nicktr]

Gerhard: would it be possible for a directory server to add its RPID ?

13:06:22 [nicktr]

nakjo: yes, technically you could do this, but I don't know what would happen on the ACS?

13:08:12 [nicktr]

gerhard: what happens with multiple credentials?

13:08:27 [nicktr]

smcgruer_[EST]: we would only show credentials that could be used?

13:08:45 [nicktr]

q?

13:10:57 [nicktr]

Gkok: it's not clear how we would prioritise which one to use if there were more than one

13:12:04 [nicktr]

...and I'd suggest that the opt out resulted in a signed request to remove the credential

13:13:10 [nicktr]

nakjo: (demos flow when SPC is not supported by requestor or in iframe)

13:13:44 [nicktr]

nakjo: here we fall back to webauthn in a new window with access in a 1P context

13:14:15 [rouslan]

q+ to talk about popups with WebAuthn and SPC

13:14:41 [nicktr]

ack Gkok

13:15:04 [nicktr]

nakjo: the sandbox attribute means that this doesn't work

13:15:18 [nicktr]

ack rouslan

13:15:18 [Zakim]

rouslan, you wanted to talk about popups with WebAuthn and SPC

13:15:35 [Gkok]

Q+

13:16:17 [wanderview]

wanderview has left #wpwg

13:16:30 [rouslan]

q?

13:16:45 [SameerT]

q+

13:16:54 [nicktr]

nakjo: we're talking about a back up of a back up here

13:17:01 [nicktr]

ack Gkok

13:18:39 [nicktr]

gkok: could we just default SPC on in iframes?

13:18:42 [nicktr]

smcgruer_[EST]: no

13:18:52 [SameerT]

q-

13:19:10 [nicktr]

dougF: but SPC is now in the requirements of 3DS including the browser settings

13:19:15 [nicktr]

q?

13:20:02 [nicktr]

nakjo: many corporate managed computers and phones restrict platform authenticators including windows hello

13:20:27 [nicktr]

...and platform authenticator is not available in private/incognito mode

13:21:16 [nicktr]

topic: netcetera demo of SPC on Android with custom tabs

13:21:56 [tomasz]

q?

13:22:05 [nicktr]

(shows passkey registration and authentication flows)

13:23:16 [nicktr]

nakjo: purpose of this investigation was to see if we could do SPC from a native app - or at least as close to native as possible

13:24:18 [nicktr]

...we had a native application that contained the checkout experience and moved the SPC challenge "next to" the native app via a web landing page

13:24:29 [SameerT]

q+

13:25:07 [SameerT]

q-

13:25:22 [nicktr]

...we had several failed attempts - webview failed so we tried custom tabs

13:25:45 [nicktr]

(shows demo app)

13:26:49 [nick_s]

q+

13:29:13 [nicktr]

q?

13:29:49 [tomasz]

q+

13:29:55 [SameerT]

q+

13:29:56 [nicktr]

nakjo: shows it's possible to deliver SPC experience in a custom tabs

13:30:26 [nicktr]

nick_s: what's the benefit of relying on SPC v the bank's app

13:30:42 [nicktr]

ack nick_s

13:31:05 [nicktr]

Gerhard: not all banks have a native app

13:31:20 [Gkok__]

Gkok__ has joined #Wpwg

13:31:22 [nicktr]

...and consumers get lost moving between apps

13:31:31 [nicktr]

...3DS 2.3.1 addresses some of that

13:31:38 [nicktr]

ack tomasz

13:32:38 [nicktr]

can you explain the communication between the custom tab and the native app?

13:33:14 [Gkok___]

Gkok___ has joined #Wpwg

13:33:31 [Gkok___]

Q+

13:33:36 [nicktr]

nakjo: we use a specific redirect URL and a link listener in the native app (which then checks the status)

13:33:38 [nicktr]

q?

13:34:11 [nicktr]

ac SameerT

13:34:11 [nicktr]

ack SameerT

13:34:12 [nicktr]

SameerT: is this over 3DS?

13:34:21 [nicktr]

nakjo: no, though it could be.

13:34:52 [nicktr]

q?

13:36:15 [nicktr]

ack Gkok___

13:36:17 [smcgruer_[EST]]

q+

13:36:23 [smcgruer_[EST]]

q-

13:37:14 [fahad]

q+

13:37:18 [nicktr]

nakjo: we can use custom tabs, but session handling, landing authentication page is tricky

13:37:38 [nicktr]

...error handling is also harder

13:37:50 [nicktr]

...and redirection to native app doesn't always work

13:38:16 [nicktr]

...also you may have to override the default browser

13:38:38 [fahad]

q-

13:38:46 [nicktr]

...ideas for improvement include message exchange or event listener

13:38:50 [nicktr]

q?

13:39:31 [nicktr]

Gkok___: I would love to see this working better if SPC in general picks up in popularity

13:39:58 [nicktr]

...is there a world where native apps could use SPC more easily?

13:40:33 [nicktr]

smcgruer_[EST]: yes. We would love to make the workarounds unnecessary but we need to get the priority to do this work

13:41:09 [nicktr]

Gerhard: it would be great to get "do SPC" added to the 3DS spec in the merchant app API

13:42:35 [nicktr]

SameerT: I could possibly see this working for bigger merchant apps, where they may already be doing biometric authentication

13:43:13 [nicktr]

Gerhard: doing this for each merchant app is a deployment nightmare

13:43:16 [nicktr]

q?

13:43:59 [nicktr]

topic: apple perspectives

13:44:16 [nicktr]

nick_s: we are happy to be back

13:46:30 [nicktr]

nick_s: we support payment request in MacOS, iOS, iPad and VisionPro (sp?) with authentication via iris

13:46:30 [nicktr]

...on SPC - we are potentially interested as a merchant and also in delegated authentication

13:47:11 [nicktr]

...it would be interesting to see SPC on other payment methods

13:48:04 [nicktr]

nick_s: (for clarity, I work on ApplePay not webkit)

13:48:11 [nicktr]

nick_s: we would love to see shipping and billing address back in payment request

13:48:14 [nicktr]

...we know there are challenges with I18n and privacy

13:50:20 [nicktr]

nick_s: we are now supporting "advance fraud protection" for Visa cards which is a private connection between the device and ?scheme? (NickTR missed this endpoint)

13:50:40 [nicktr]

...we are interested in the receipt use case

13:50:42 [nicktr]

q?

13:51:56 [nicktr]

Gerhard: could that additional information be provided to the issuer?

13:51:56 [nicktr]

q?

13:52:22 [nicktr]

nick_s: I think we would be interested in investigating that as a standardised way of communicating it

13:52:47 [nicktr]

gkok: what are the roadblocks for SPC?

13:53:18 [nicktr]

...I think there are clearly user experience and privacy issues to resolve

13:53:37 [rbyers]

https://github.com/WebKit/standards-positions/issues/30

13:53:55 [nicktr]

...you can see Apple's positions here -> https://github.com/WebKit/standards-positions/issues/30positions on standards

13:54:17 [nicktr]

q?

13:55:54 [nicktr]

nick_s: if there is interest in using SPC in native apps, I think it would be interesting to explore how we could make this more seamless

13:56:52 [nicktr]

joyce: could I have better control over my physical payments like I have on web payments? For example, the payment confirmation

13:57:25 [nicktr]

nick_s: I would be delighted to talk to you about that - one limitation is the information that's available via the NFC interface

13:59:11 [nicktr]

...some of these payment standards are quite old

14:00:33 [nicktr]

...we have also recently introduced taking payments contactlessly via iphones and have made some accessibility improvements there

14:00:36 [nicktr]

q?

14:01:30 [rbyers]

FWIW Rick and Stephen had to jump for a meeting 4:00-4:30, but we're obviously very interested in this topic. Sorry for the conflict.

14:02:01 [Gkok]

Gkok has joined #wpwg

14:02:15 [Gkok]

Q+

14:02:52 [Adam_]

Adam_ has joined #wpwg

14:03:41 [nicktr]

Sami: are we trying to define best practices for SPC implementations?

14:04:41 [nicktr]

Gerhard: I think it would be great if we could come up with a framework for comparing SPC implementations

14:05:27 [nicktr]

evan_jacobs: we have a lot of challenge talking to issuers because we often measure different metrics or see different results

14:06:30 [nicktr]

sami: we see lots of different approaches

14:07:23 [nicktr]

Gkok: I can see both issuer and scheme implementations working depending on scale of the issuer

14:07:38 [nicktr]

ack Gkok

14:07:55 [nicktr]

gkok: let me give a merchant perspective

14:08:22 [nicktr]

...we really need relying parties outside our PSPs

14:08:38 [nicktr]

...and in particular more issuers

14:09:11 [nicktr]

...there is interest from issuers but they're not getting consistent messaging and support and information

14:09:55 [nicktr]

...mobile browser is giving us the biggest headache for conversion

14:10:06 [imran]

imran has joined #wpwg

14:10:11 [nicktr]

...and diagnosis is really hard

14:10:57 [nicktr]

...again, as a merchant, we need more "insurance".

14:11:16 [alakatos]

alakatos has joined #wpwg

14:12:04 [nicktr]

gkok: it's all about the value of the user - particular on the first transaction. I would give up liability shift on first transaction

14:12:27 [nicktr]

evan_jacobs: is there interest in implementing SPC in non-SCA markets?

14:13:11 [nicktr]

gkok: yes, if the performance uptick is worthwhile. It all comes down to the experience

14:13:11 [nick_s]

q+

14:13:31 [nicktr]

evan_jacobs: I do wonder if there is an opportunity to do more with delegate authentication in the US market

14:14:08 [nicktr]

nick_s: the optimist thinks that would be great. the pessimist (realist) looks at how hard Chip and PIN was in the US

14:14:36 [nicktr]

...I think you either need either regulation or a significant economic incentive

14:15:05 [nicktr]

gkok: I agree. perhaps it also opens up new business models or payment methods - for example in open banking

14:16:22 [nicktr]

evan_jacobs: some US issuers see authenticated transactions as inherently riskier than non-authenticated ones

14:16:25 [nicktr]

q?

14:16:34 [nicktr]

ack

14:16:36 [nicktr]

ack nick_s

14:16:37 [nicktr]

q?

14:17:03 [solai]

solai has joined #wpwg

14:19:29 [nicktr]

we break for coffee

14:19:45 [RRSAgent]

I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr

14:22:09 [benoit_]

benoit_ has joined #wpwg

14:25:40 [bryanluo]

bryanluo has joined #wpwg

15:00:28 [benoit_]

benoit_ has joined #wpwg

15:00:35 [yoav_]

yoav_ has joined #wpwg

15:02:18 [bryanluo]

bryanluo has joined #wpwg

15:04:02 [Sami]

Sami has joined #wpwg

15:04:07 [benoit_]

benoit_ has joined #wpwg

15:04:19 [rwatkins-ma]

rwatkins-ma has joined #wpwg

15:06:16 [alakatos]

alakatos has joined #wpwg

15:06:39 [nick_s]

nick_s has joined #wpwg

15:07:50 [Tony_E]

Tony_E has joined #wpwg

15:08:55 [nicktr]

Topic: Breakouts and future topics

15:09:32 [nicktr]

nicktr: please note that the restaurant that we have a booking at this evening is here -> https://goo.gl/maps/D5VdQDoMwdbKhDwe7

15:09:54 [nicktr]

https://aderezotapas.es

15:10:35 [nicktr]

It's the El Porvenir one (about 15 minute walk from the Melia hotel)

15:29:29 [bryanluo]

bryanluo has joined #wpwg

15:34:52 [nick_s]

nick_s has joined #wpwg

15:39:02 [nick_s]

nick_s has joined #wpwg

15:41:51 [nick_s]

nick_s has joined #wpwg

15:44:44 [bryanluo]

bryanluo has joined #wpwg

15:54:04 [nick_s]

nick_s has joined #wpwg

15:54:57 [Gerhard]

Group 1: Expanded payment use-cases

15:55:09 [Gerhard]

Two categories: Non Payment Use-cases and complex usecase

15:55:15 [Gerhard]

(Sami giving feedback)

15:55:25 [Gerhard]

Second one was a broad discussion

15:55:35 [Gerhard]

What should SPC have extra.

15:55:40 [Gerhard]

Use-cases:Accessing

15:55:44 [Gerhard]

* Accessing a wallet

15:55:59 [Gerhard]

ID&V / enroll passkey (SPC) after legacy ID&V

15:56:19 [Gerhard]

Can SPC fields be expanded for this?

15:56:25 [Gerhard]

Complex use-cases was more divers.

15:56:35 [Gerhard]

Payments + ID Data (e.g. age / location)

15:57:07 [Gerhard]

* MAke Autofill and SPC make smoother together (Can we trust this/ binding this on the browser)

15:57:21 [Gerhard]

* Recurring transactions (once a month/ initial + recurring, etc)

15:57:28 [Gerhard]

Conclusions:

15:57:51 [Gerhard]

* Bigger picture is important. SPC is being used is broader than the single part.

15:58:01 [Gerhard]

Merchant + Network + Issuer.

15:58:08 [Gerhard]

q?

15:58:53 [Gerhard]

Payment & ID and Autofill was where a lot of time around this?

15:59:35 [Gerhard]

Non Payment Auth has a ticket on it.

16:00:00 [Gerhard]

Group 2: Increasing trust and reducing friction

16:00:10 [Gerhard]

* Take lessons from FedCM

16:00:25 [Gerhard]

They offer more context to the customer so dialog can show list or narrow it down.

16:00:36 [Gerhard]

Also had a silent login option.

16:00:58 [Gerhard]

Could we enrich the API so the relying party could share more information

16:01:35 [Gerhard]

Next one was how we could add more browser data to the flow - influence on how the passkey/SPC asks for fingerprint.

16:02:01 [Gerhard]

Potentially a risk score or additional signals that the browser could provide. Also potentially prompts to share consent

16:02:11 [Gerhard]

Also potentialyl share biometric usage context (Still the same user)

16:02:19 [Gerhard]

A notification that credentials are being used.

16:02:28 [imran]

imran has joined #wpwg

16:02:51 [Gerhard]

Also spoke about auto-enrollment? HOw could we do this, and what obstacles would be there. Create a credential without prompting? What would that take?

16:03:04 [Gerhard]

IF you want to authenticate then use this.

16:04:05 [Gerhard]

Context of the transaction such as pay/subscribe

16:04:18 [Gerhard]

(nakjo for group 2)

16:04:34 [Gerhard]

Group 3: INcrease trust and reduce friction:

16:04:56 [Gerhard]

First ensure consistent experience for user accross all OS and Devices

16:05:03 [Gerhard]

A couple of hops in that journey.

16:05:19 [Gerhard]

Marketing and branding the payment brands and logos. Improve that.

16:05:27 [Gerhard]

Experience enables consistency.

16:05:41 [Gerhard]

Eliminating unneccessary steps due to failed authentication.

16:06:04 [Gerhard]

Familiarity to uses in pop-ups. User names or something more memorable.

16:06:25 [Gerhard]

Enrollment scope and cross-device scoping. Should not be repeating this across various devices.

16:06:29 [Gerhard]

q?

16:06:48 [Gerhard]

Group 4 (Stephen)

16:07:05 [Gerhard]

Expanding use-cases to talk about SPC and non-payment flows and more complex payments.

16:07:16 [Gerhard]

Also spoke about alternate payment mechanisms.

16:07:27 [Gerhard]

Focused more on SPC UI.

16:07:39 [Gerhard]

Technically it's too restricture (Recurring, variable)

16:07:58 [Gerhard]

But you cannot do raw text in browsers? So how do you do that? FedCM has 4 enumerations.

16:08:13 [Gerhard]

Payments may be more complex? Did not come up with a clear answer.

16:08:43 [Gerhard]

How important is this to solve? Some are seeing issuers are not wanting to enable recurring payments - want to re-auth every time.

16:08:56 [Gerhard]

Alternative payment: UPI, Open Banking, PayNow,

16:09:20 [Gerhard]

(and PIX) Not all the same. Merchant is push payment. Open banking is submitting the context for them to charge.

16:09:40 [Gerhard]

Obvious flows here are browser to app and back. How would we enable that.

16:09:48 [Gerhard]

Did not really have a real solution here.

16:10:24 [Gerhard]

What about Intents? PIX folks did raise concern since unsure about who responds to intends. Also based on time available /speed.

16:10:42 [Gerhard]

Payment handler had ability to check signatures, so this can be solved.

16:10:48 [Gerhard]

Alex had a complex idea.

16:11:39 [Gerhard]

Action is to explore something - explore with RBI and Brazilian regulator. Also if SPC fits in there. Could you do everything in the browser.

16:13:12 [Gerhard]

COmment: Would be great to jump back from app to browser page that redirected back to that.

16:13:24 [Gerhard]

You should be able to solve this.

16:13:40 [Gerhard]

(comments from gerhard)

16:14:54 [bryanluo]

bryanluo has joined #wpwg

16:15:07 [alakatos]

alakatos has joined #wpwg

16:15:29 [evan_jacobs]

evan_jacobs has joined #wpwg

16:15:37 [Gerhard]

Second point: Browser is trusted globally in the rest of the world. We can leverage that. Let the relying party indicate if he wants to trust the browser or not.

16:16:04 [Gerhard]

New restaurant for tonight.

16:16:57 [nicktr]

https://www.irccloud.com/pastebin/7XcD3zIq/

16:17:11 [nicktr]

**Important**

16:17:11 [nicktr]

16:17:11 [nicktr]

Our restaurant booking has changed.

16:17:11 [nicktr]

16:17:11 [nicktr]

We are now heading to El Paseillo

16:17:12 [nicktr]

16:17:12 [nicktr]

https://elpaseillosevilla.com/

16:17:12 [nicktr]

16:17:13 [nicktr]

map - it looks like a 25 minute walk from the Melia hotel, but it is in a nice area of the city centre near the cathedral with lots of bars.

16:17:13 [nicktr]

16:17:13 [nicktr]

We have a reservation for 20 people across three tables at 8:30pm local time. I will be in reception at 8pm to walk over there if you want to walk with me.

16:20:58 [nicktr]

s/Sami: are we trying/????: are we trying/

16:21:29 [nicktr]

s/sami: we see lots/????: we see lots/

16:21:40 [nicktr]

end of day one

16:21:57 [RRSAgent]

I have made the request to generate https://www.w3.org/2023/09/11-wpwg-minutes.html nicktr

16:22:43 [Zakim]

leaving. As of this point the attendees have been Arman, benoit, canton, Stephen_McGruer, Helen_Qin, Rick_Byers, evan_jacobs, Dingwei_, bryanluo, gkok, nick_s, fahad, Melissa_VS,

16:22:43 [Zakim]

Zakim has left #wpwg

16:22:43 [Zakim]

... JeanLuc, rwatkins-ma, westin, kenneth, SameerT_, Adam_, Gerhard, HelenQin, Dingwei, Tabitha, hari, Nakjo_Shishkov, Peter_, TEngland, Soumya, sioked, tomasz, Bastien_, :,

16:22:43 [Zakim]

... jonathan_grossar, Rouslan, martin_alvarez, Sami

16:24:08 [bryanluo]

bryanluo has joined #wpwg

16:25:34 [benoit]

benoit has joined #wpwg

16:51:46 [benoit_]

benoit_ has joined #wpwg

18:00:38 [benoit]

benoit has joined #wpwg

18:05:17 [benoit_]

benoit_ has joined #wpwg

18:13:01 [bryanluo]

bryanluo has joined #wpwg

18:20:37 [bryanluo]

bryanluo has joined #wpwg

18:26:54 [bryanluo]

bryanluo has joined #wpwg

20:26:37 [bryanluo]

bryanluo has joined #wpwg

20:27:54 [benoit]

benoit has joined #wpwg

21:06:29 [nick_s]

nick_s has joined #wpwg

21:27:18 [bryanluo]

bryanluo has joined #wpwg

21:32:47 [benoit]

benoit has joined #wpwg

21:34:40 [benoit_]

benoit_ has joined #wpwg

21:43:16 [benoit__]

benoit__ has joined #wpwg

21:47:13 [benoit__]

benoit__ has joined #wpwg

22:11:27 [benoit]

benoit has joined #wpwg

22:46:02 [bryanluo]

bryanluo has joined #wpwg

23:36:55 [benoit]

benoit has joined #wpwg

23:56:38 [bryanluo]

bryanluo has joined #wpwg