Leaving slide mode.

Joint WPWG / WebAuthn Discussion

Ian Jacobs

TPAC 2024
Anaheim CA, USA
23–27 SEPTEMBER 2024

Agenda

Regulatory context
Secure Payment Confirmation
Web Authentication

Regulatory context (1 / 3)

Requirement / Recommendation	Description	Examples	Potential Solutions: status
Dynamic linking	Cryptographic evidence of consent to T&C	EU, US, UK, Australia, India, Japan	SPC: shipping but not universal txConfirmation: new
Verifier security	RP need to know if authenticator meets reqs at registration and authentication	EU, US, UK, Australia, India, Hong Kong	authnSel: with sync, AAGUID no longer available UAF policies: not in WebAuthn attestation: not useful as implemented

Regulatory context (2 / 3)

Requirement / Recommendation	Description	Examples	Potential Solutions: status
Authentication factors information	Some markets require that a biometric authenticator is systematically used for SCA	EU, US, UK	uvm: not shipping uvi: dropped
Device binding	Where 2FA is required, possession factor is preferred for UX or may be required when used with another factor (cf NIST)	EU, US, UK, Japan	spk (& dpk?) extension: dropped SPC: new DBSC: new

Regulatory context (3 / 3)

Requirement / Recommendation	Description	Examples	Potential Solutions: status
Privacy / User consent	User consent required for any personal data shared to a third party	EU, USA, Australia, UK, Brazil, India, Canada, Japan, South Africa, Hong Kong	SPC: shipping: not universal txConfirmation: new

For more details on regulatory context, see presentation from FIME/Worldline

Secure Payment Confirmation (SPC)

Key observations

Passkeys are considered superior to passwords, but they cannot be used for payments unless they meet regulatory requirements for those types of devices.
Per the above tables, extensions may have fulfilled many of the requirements, but they have not been implemented or are not currently usable.
One pattern might be “more power available with dedicated UX” as might be the case with SPC and device binding.

Move capabilities to SPC?

SPC is currently focused on:
- Dynamic linking
- Privacy / User consent
- Device binding
Ideas for handling verifier security, authentication factors info?
Other technologies that might play a role in addressing these requirements (more below on DBSC)?
Migrate some capabilities from WebAuthn (authnSel, uvi, uvm, signature counter implementation, attestations, etc.) to SPC?

Web Authentication Topics of Interest

Error codes and relation to SPC fallback UX. Related: review of error codes (issue 2132) and Proposal: Expanding output states for SPC
Status of Simple Transaction Authorization Extension (txAuthSimple)
Status of UX for roaming authenticators and are we ready for roaming authenticators in SPC?

Web Authentication Topics of Interest (continued)

Understanding when to register the user (cf 2022 remarks)
SPC 3p bit part of PKCS in WebAuthn L3
Can we improve login-specific language in OS prompts for payments use cases? ([issue 2086](https://github.com/w3c/webauthn/issues/2086))
Also: new features? deployment updates? fate of extensions?

After TPAC

Proposed: revive joint task force between Web Authentication and WPWG to find out how to advance Web Authentication for payments and/or enhance SPC.

Appendix

For more information about FIDO FS-SIG requirements see Member-only presentation