-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion to enable Frictionless Flows #34
Comments
Thanks @Goosth for bringing up new use cases. :-) What kind of user experience are you envisioning with the "frictionless" flow? Would the signing be completely invisible from the user? If so, I think there may be a privacy issue: any RP can use the presence of the private key to track users. Also how would this flow handle the Dynamic Linking use case? If user is not seeing any visible UI, who is acting as the trusted component to facilitate the user's confirmation of the transaction details? These are the reasons why the user interaction with the browser UI is crucial in the current SPC proposal. |
If I've understood, there are two user gestures involved:
That's not a careful privacy analysis, but I want to see if @Goosth agrees that those user gestures are expected. Ian |
I think Transaction/checkout (i.e. the flow that exercises the |
We have to find the right balance of friction. We're all in agreement that the payment must be confirmed by the user before the cryptogram will be returned. It cannot be done without user action on that page. So there will be at least one action; this proposal will prevent us from having to add to that. The Credential management API allows us to save a username and password and refill this automatically when a user goes back to that primary site. See example here. So this paradigm is already in place, and I have to assume that this was done in a way that is considered save & free of tracking. The user must be part of the journey to store and retrieve that data. The Customer goes to this primary site (e.g. bank.com) and chooses to be remembered by taking a user action. So, to @ianbjacobs 's point, there are 2 events:
So in both cases user needs to act on something to retrieve the information (only 1 action however). It cannot be done silently. |
According to Chrome's privacy design principle, invoking SPC should always trigger a browser UI that displays to the user the transaction details. User must interacts with this browser UI to proceed. I'm not sure if this is what you originally meant by "1 click" because I'm counting 2 clicks here. But if this is what you envision, then I agree the privacy surface here is identical to Credential Management API. For example, in the Credential Management API demo you referenced, there are two actions when a returning user signs in:
The privacy problem comes from not involving the browser UI. We don't consider a user interaction with a DOM element a sufficiently strong signal of the user's intent to initiate payment authentication because the web content cannot be trusted. A malicious website can easily use a misleading label on the button such as "Click here to get a free coupon".
|
Thanks for the clarification here @danyao. So are we then saying that something like the following will happen
The solution will therefore still require a merchant confirmation step, but no additional/visual authentication using a biometric or Device PIN. This will be a great replacement to remove frustrating SMS OTP flows (fully compliant for all transactions outside of Europe). And it would support a very convenient low-friction flow for situations where full SCA is not required in Europe. This could be a good compromise to enable a 'frictionless' flow if desired by the Issuer. |
Based on further conversation, adding a remark here: if there are any options in the user experience, this raises the question of prioritization of concerns. My initial recommendation would be:
|
I would add to this that if the Relying party indicates it's preference for 2FA (Biometric/PIN + possession), the user or merchant should not be able to waive that. They are the relying party after all.
|
@Goosth, interesting point. "More security wins" could be an interesting principle. (I need to think more about it. "Security" may be the wrong word here, although I hope it's the right word.) |
Labeled after-v1 based on 3 March 2022 WG discussion https://www.w3.org/2022/03/03-wpwg-minutes |
Introduction
We’ve heard a lot about ‘frictionless authentication’ at TPAC 2020 regarding SPC. It’s considered an essential requirement for merchant adoption in certain markets, due to the historic pain experienced with issuer challenges. It's a key benefit promised for 3D Secure 2.
This post is an suggestion on how we could utilize the SPC public-key-credential to payment-card linking mechanism to enable frictionless authentication. The idea is inspired by the Credential API picture in the presentation given at the TPAC WPWG sessions (slide 14, thanks @danyao).
SPC was implemented by adding a new credential type (
PaymentCredential
) to the Credential Management API. This newPaymentCredential
type includes a list of other trusted public-key credentials; which today consist of a set of WebAuthn Keys (calledPublicKeyCredential
in the Credential Management API).Proposal
What if we supported an additional type of credential that can be used frictionlessly. Ideally this would also be a public-private keypair, similar to Webautn’s PublicKeyCredential. This credential would have the following attributes:
This attribute would then be able to show a certain browser presence during a transaction.
This functionality actually already exists in WebCrypto API. The object created is called
CryptoKey
.In CredentialManagement, we could call this a
CryptoKeyCredential
. The CredentialManagement API would bring the ability to get user-consent when this is created. And it would then be stored and retrievable in a similar way to other Credentials.Our
PaymentCredential
would then be able to link into bothPublicKeyCredentials
andCryptoKeyCredentials
(viaexistingCredential
).Enabling this flow.
So, if this was in place and an issuer wanted to enable frictionless flows it would just need to do the following:
Enroll
CryptoKeyCredential
on a trusted browser (getting user consent that they trust this browser)CryptoKeyCredential
to aPaymentCredential
, potentially also with a set ofPublicKeyCredentials
that’s also trusted by this userCheckout
CryptoKeyCredentials
in the list returned to the merchant.CryptoKeyCredentials
returned are present on the browser, and if they are, they could be used as signing proof of the transaction. If none are present it would try theWebAuthnCredentials
, and failing that fallback to the fallback URL.If I understand the SPC API and implementation correctly, this would require virtually no change to the SPC interface. Just the ability to store a new credential type in the browser. And in return, we would be able to offer frictionless SPC consent.
Would be great to explain and explore this further in future WPWG session.
The text was updated successfully, but these errors were encountered: