13:57:03 <RRSAgent> RRSAgent has joined #wpwg
13:57:07 <RRSAgent> logging to https://www.w3.org/2023/09/28-wpwg-irc
13:57:07 <Ian> Meeting: Web Payments WG
13:59:06 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20230928
13:59:11 <Ian> Scribe: Ian
14:01:06 <Ian> Chair: Nick
14:01:09 <Ian> present+ Ian
14:01:13 <Ian> present+ Jeff_Owenson
14:01:22 <Ian> present+ Steve_Cole
14:01:22 <Ian> present+ Clinton_Allen
14:01:30 <Ian> present Fahad_Saleem
14:01:38 <Ian> present+ Tomasz_Blachowicz
14:01:45 <Ian> present+ Jean-Michel_Girard
14:02:05 <tomasz> tomasz has joined #wpwg
14:02:11 <tomasz> +present
14:02:11 <Ian> present+ Soumya_Chakrabarty
14:02:22 <Ian> present+ Nick_Telford-Reed
14:03:12 <JMGirard> JMGirard has joined #wpwg
14:04:21 <Soumya> Soumya has joined #wpwg
14:04:34 <Ian> Regrets: Arman_Aygen
14:04:44 <nicktr> present+
14:05:10 <Ian> agenda+ TPAC recap
14:05:12 <Ian> agenda+ Next meeting
14:05:15 <Ian> zakim, take up item 1
14:05:15 <Zakim> agendum 1 -- TPAC recap -- taken up [from Ian]
14:05:53 <Ian> Minutes from TPAC:
14:05:54 <Ian> https://www.w3.org/2023/09/11-wpwg-minutes.html
14:05:57 <Ian> https://www.w3.org/2023/09/12-wpwg-minutes.html
14:06:22 <Ian> NickTR: With my chair hat on, overall success. Lots of participants in person and remote (though sound quality was not great).
14:06:30 <Ian> present+ Olivier_Maas
14:07:09 <Ian> present+ John_Bradley
14:07:44 <Ian> NickTR: Genuine enthusiasm in sessions and in hallways. Some people may be aware that there was a small COVID outbreak (despite good mask wearing)
14:07:59 <Ian> NickTR: Seville is a magnificent city.
14:08:42 <Ian> NickTR: In terms of content, the highlight was seeing the results of experimentation from Stripe, Modirum, Netcetera, Visa...the fact that there was a list of findings was very exciting.
14:08:56 <Ian> NickTR: I think it's clear from the findings (especially from Stripe) that they landed on quantitative findings similar to their first pilot.
14:09:16 <Ian> ...there's real benefit of SPC for latency (3x faster compared to OTP) and in terms of authentication success.
14:09:46 <Ian> ...but there remain challenges both to get users to register, and to get users to repeat the experience. Because it's new and changing user behaviors around payments is challenging.
14:10:54 <Ian> ...we also heard in the latest Stripe findings that vanilla WebAuthn had a better success rate than SPC. Although Stripe did not offer a definitive analysis for why that was the case, there speculation (also supported by other conversations that week) was that, in an SPC experience the two pop-ups -- transaction dialog then OS dialog -- involved some friction, such as an extra click.
14:11:08 <Ian> ...we started to discuss, for example, whether the dialogs might be merged.
14:11:23 <Ian> ...Visa pointed out the UX is different on different platforms
14:11:44 <Ian> ...involving different labels, different language, and that that was causing some confusing for the user.
14:12:36 <Ian> ...even if we cannot specify UX (because our charter) it was valuable to talk about user journeys and we should continue to do so
14:12:48 <Ian> ...we had a joint discussion with Web Authn WG and the WebAuthn adoption CG
14:13:32 <Ian> ...the adoption CG's work was really interesting. It's clear to me that SPC represents a step forward in authentication during payments, but we have a mountain to climb to increase awareness with issuers and the broader community.
14:13:38 <Ian> ...I think we need to be doing more to raise awareness.
14:13:56 <Ian> ...do WG participants have views on how we might do so?
14:14:07 <Ian> ...e.g., a new CG dedicated to that? a task force in this WG? via the WPSIG?
14:14:18 <Ian> ...should we be relying on the companies who are participating in the groups?
14:14:27 <Ian> ...by the platform providers? by EMVCo?
14:14:34 <Ian> ...or some combination of all of the above?
14:15:40 <Ian> IJ: John, any thoughts on marrying the dialogs?
14:16:17 <Ian> John: I was not in the payments meetings, so did not participate in that discussion. There might be different solutions; it would depend on how SPC is specified and how it is implemented against WebAuthn.
14:16:36 <Ian> ...it might be that the implementation layering doesn't communicate the consent from one to the other.
14:16:46 <Ian> ...it could be a specification issue or an implementation issue.
14:18:29 <Ian> NickTR: Another topic is whether more of SPC should be pushed into Web Authn. And what will happen after WebAuthn L3?
14:19:03 <Ian> ...I have been wondering whether one of the ways we might get better alignment between SPC/WebAuthn is if more SPC were pushed to WebAuthn
14:19:21 <Ian> John: I think that's a plausible idea
14:19:38 <Ian> present+ Doug_Fisher
14:20:23 <Ian> NickTR: There was an excitement about an SPC-style experience beyond the browser
14:21:02 <Ian> ...so getting closer to native via FIDO is also somewhat interesting
14:21:55 <tomasz> I believe the discussion somehow relates to old issue we have on Github: https://github.com/w3c/secure-payment-confirmation/issues/56
14:22:17 <Ian> Also -> https://github.com/w3c/secure-payment-confirmation/issues/12
14:23:04 <Ian> John: I think there's more that could make its way into WebAuthn
14:23:11 <tomasz> q+
14:23:28 <Fahad> Fahad has joined #wpwg
14:24:15 <Fahad> Present+
14:24:24 <Ian> ack tomasz
14:24:36 <Ian> tomasz: This UX topic is very important
14:24:50 <Ian> ...the fact that we have the two dialogs is cumbersome
14:24:52 <Ian> q+ John
14:25:05 <Ian> tomasz: There are two surfaces to the discussion
14:25:13 <Ian> ...could be about implementation of SPC
14:25:21 <Ian> ...could also be about alignment WebAuthn with SPC
14:25:44 <Ian> ...this also relates to SPC-in-PR-API...and it may make more sense to ground SPC in WebAuthn
14:25:52 <Ian> ..but what's important to us is the UX more than the API surface
14:25:53 <Ian> ack JMGirard
14:25:56 <Ian> ack John
14:26:16 <Ian> John: If there were an extension to WebAuthn for the SPC dialog, perhaps the number of dialogs could be compressed.
14:26:23 <Fahad> And also the capability for a third party to trigger authentication
14:26:38 <Ian> John: There's probably a fair amount of work to do that. Who is going to be displaying the transaction dialog/
14:27:05 <Ian> ...there's a separation between the platform providers and the pluggable passkey providers. We'd need to sort out who is doing what and trust boundaries.
14:27:12 <Ian> ...but i think that's work worth doing.
14:27:25 <Ian> ..if we want participation of FIDO folks in WPSIG; need to reschedule the meetings.
14:28:01 <Ian> q?
14:28:59 <Ian> NickTR: In terms of work product that this WG should do, I think this conversation about aligning webauthn and SPC, and figuring out how to have the discussion about UX and user journey while remaining in our charter scope, and figuring out how to drive adoption...those are the major topics for me.
14:29:16 <Ian> NickTR: We did hear about the future a bit. For example, Rouslan talked about the payment links proposal.
14:29:29 <Ian> ...Gerhard presented some non-payment use cases for SPC (e.g., storing payment credentials)
14:29:46 <Ian> ...that's an increasingly important use case for both merchants and device / wallet provisioning.
14:30:09 <Ian> ...On the Payment Request front, Google and Apple both want to add addresses back to the spec.
14:30:29 <Ian> ...in short, I was excited by the pilots, by the breadth of participation
14:30:37 <Ian> ..thanks to all the presenters from the meeting!
14:31:21 <Ian> ...it was create to have Netflix at the meeting; the voice of the merchant is so important.
14:31:52 <nicktr> q?
14:31:53 <Ian> ...and we should be thinking more about whether we can get more participation by Apple-as-merchant and google-as-merchant.
14:32:52 <Ian> Ian: Good to have a list of things we should be doing to get to next level:
14:32:54 <nicktr> scribe: ian, nicktr
14:32:59 <Ian> * UX feedback => changes in implementation
14:33:30 <Ian> * More browser support
14:35:12 <Ian> * Developer documentation
14:36:16 <Ian> * IANA extension registration (done)
14:36:56 <Ian> * Pilots and good data
14:37:29 <Ian> * Outreach
14:37:44 <Ian> * Support in protocols
14:39:23 <nicktr> q?
14:39:24 <clinton> q+
14:39:28 <Ian> * More documentation?
14:39:32 <Ian> Ian: That's a partial list of ideas
14:40:00 <Ian> Clinton: On the UX feedback... what precedence is there in W3C about UX guidance?
14:42:04 <Ian> IJ: Traditionally specs don't prescribe UX, but there is room to talk about user journeys and provided data to APIs.
14:42:16 <Ian> John: The underlying WebAuthn UX is different on different platforms.
14:42:28 <Ian> ...what may be annoying users is that the WebAuthn UX is different on each system.
14:42:38 <Ian> ...WebAuthn WG similarly doesn't tell OS's how to do their dialogs
14:43:20 <Ian> ...I think browser may be able to do more to get cross-OS consistency for the SPC portion of UX
14:45:47 <nicktr> ack clinton
14:46:35 <Ian> IJ: I think there are fewer implementers here, and they are strongly motivated by pilot feedback to fix UX; I think that is potentially more powerful than guidelines.
14:47:53 <Ian> NickTR: yes, Doug++ for his UX presentation
14:49:22 <Ian> John: We also need to keep an eye on the changes to WebAuthn that are happening, such as pluggable providers
14:49:45 <Ian> ...e.g., on MacOs or Windows, if you are using Chrome and having a password manager installed, the password manager may "take over"
14:50:01 <Ian> ...small number of UX people today, but it will be increasing
14:51:20 <Ian> ...credentials in password managers aren't available (at least now) via the credential listing APIs.
14:52:11 <Ian> ...we need people to understand that APIs that password managements can plug into need to also make affordances for SPC.
14:53:04 <Ian> ACTION: John to raise an SPC issue related to pluggable passkey provider APIs
14:53:20 <nicktr> q?
14:54:39 <Ian> Clinton: UX is becoming the obvious hurdle for adoption (for many different specifications, not just W3C)
14:54:59 <Ian> ...it's one experience from the consumer perspective; even if there are different responsible parties working together
14:56:33 <tomasz> +1 for the UX workshop
14:57:24 <Ian> IJ: SHould we do a UX Workshop on payments?
14:57:31 <Ian> Clinton: +1 ; good to speak with one voice
14:58:27 <Ian> Doug: +1
14:58:47 <Ian> zakim, close this item
14:58:47 <Zakim> agendum 1 closed
14:58:47 <Zakim> I see 1 item remaining on the agenda:
14:58:47 <Zakim> 2. Next meeting [from Ian]
14:58:51 <Ian> zakim, take up item 2
14:58:51 <Zakim> agendum 2 -- Next meeting -- taken up [from Ian]
14:58:55 <Ian> Next meeting 12 October
14:59:01 <RRSAgent> I have made the request to generate https://www.w3.org/2023/09/28-wpwg-minutes.html Ian
15:02:44 <Ian> rrsagent, bye
15:02:44 <RRSAgent> I see 1 open action item saved in https://www.w3.org/2023/09/28-wpwg-actions.rdf :
15:02:44 <RRSAgent> ACTION: John to raise an SPC issue related to pluggable passkey provider APIs [1]
15:02:44 <RRSAgent>   recorded in https://www.w3.org/2023/09/28-wpwg-irc#T14-53-04
15:02:45 <Ian> zakim, bye
15:02:45 <Zakim> leaving.  As of this point the attendees have been Ian, Jeff_Owenson, Steve_Cole, Clinton_Allen, Tomasz_Blachowicz, Jean-Michel_Girard, present, Soumya_Chakrabarty,
15:02:45 <Zakim> Zakim has left #wpwg
15:02:48 <Zakim> ... Nick_Telford-Reed, nicktr, Olivier_Maas, John_Bradley, Doug_Fisher, Fahad