Skip to content

Authentication

ianbjacobs edited this page Sep 6, 2018 · 47 revisions

This wiki is for discussion of approaches to integrating strong authentication into payments flows. This wiki is for discussion purposes and does not represent consensus. Questions? Contact the Web Payments Working Group ([email protected]).

Background

  • In a variety of contexts (e.g., PSD2 in Europe, 3D-Secure from EMVCo), strong authentication plays an increasingly important role in payments flows.
  • W3C is working with the FIDO Alliance on Web Authentication and discussing 3D-Secure with EMVCo. Non-standard approaches involve device fingerprinting (e.g., through JavaScript).
  • The usual tensions between security, privacy, and usability are present in these approaches:
    • Web Authentication supports a variety of strong assurances, but requires enrollment.
    • Device fingerprinting (e.g., as specified in the 3D-Secure 2 specification) reduces user friction but involves sharing information about the user silently with third parties (issuing banks, in the case of 3-D Secure 2).

Goals

  • Build shared understanding of authentication options and best practices.
  • Determine whether new browser capabilities (e.g., a browser API to make user data available to authorized payment handlers with user consent) would offer better tradeoffs between security, privacy, and usability.
  • Promote privacy-protecting practices.

Best Practices

Cascade of approaches

Authentication for a transaction can use any of the mechanisms below, with preference to the order in which they are listed. If the most preferred method isn't available, then the next method can be tried, and so on.

  1. Web Authentication
  2. One or more browser APIs to provide device data with user consent to authorized payment handlers
  3. JavaScript device fingerprinting

Web Authentication User Experience

  • Under WebAuthn it is be possible to use a single device touch for 2-factor authentication (e.g., biometric and / or PIN-based user verification that represents both possession of a device and information about and / or knowledge of the user).
  • Where it is necessary to use a password as part of 2-factor authentication, users can take advantage of the browser's password manager to reuse stored credentials.

Browser APIs to provide data to authorized payment handlers

Currently, payment handlers have implemented a practice of "fingerprinting" users through their browsers to identify risk attributes for a transaction. From a browser perspective, this is an anti-pattern -- user agent fingerprinting breaches privacy in non-transparent ways and browsers are constantly looking for ways to prevent user agent fingerprinting.

Rather than continue the status quo of an arms race between browsers and payment handlers, the following is an attempt to establish a framework that works for both parties. It should be recognized that financial institutions frequently feed the "signals" from browsers into black-box machine learning algorithms (often operated by third parties, e.g., FireEye). There is no one signal that indicates risk and the resulting risk scores are constantly changing in real-time based on real-world conditions. Thus, a risk score cannot be performed by a browser and a browser can only serve to provide the signals back to the algorithms that have a more global perspective.

Benefits

  • Privacy enhancements
    • One aspect of payment handler authorization is quality control by the payment method owner. For example, a payment method owner might use a payment method manifest to whitelist payment handlers that are authorized to invoke a device-data API. Payment handler authorization can thus be distributed to payment method owners.
    • Another aspect of payment handler authorization is user consent. Users can explicitly consent to sharing some or all of a set of standardized data with a payment handler, and this can be done through a better and more consistent user experience. This is a more transparent approach than sharing data with unidentified parties (e.g., to issuing bank JavaScript embedded in a merchant site).
    • User data related to payment would be sent to the party carrying out the payment on behalf of the user, rather than to the merchant.
  • Developer benefits
    • A standard API would lower the cost for developers of gathering the data, since they will not have to create and maintain JavaScript themselves.
    • It can also potentially increase data reliability and consistency.

In addition, we should discuss a standard for privacy-protecting user confidence signals from the browser that could further enhance risk analysis capabilities.

How it might work

  • Payment handler receives control from browser via Payment Handler API.
  • Payment handler invokes a method to request device data. The payment handler can request specific fields (or "all") from a standardized data set.
  • Browser confirms payment handler is authorized to request data, returns data (or error). Browser may not return all the data that was requested for a variety of reasons (e.g., user chooses not to share a piece of information).
  • Browser could encrypt data with public key. For example, if the browser knows who the issuing bank is, the browser could encrypt the data with the bank's public key.

TPAC Discussion Ideas

Tuesday (WPWG)

  • Clearly establish what different parties want
  • Establish whether the cascade described above makes sense, is "complete," should be further developed
  • Identify gaps in those approaches and which working group or organization might work on what
  • Get more browser vendor perspective

Wednesday

  • Invite WebAppSec and TAG to a breakout session
  • Debrief on Tuesday discussion with WebAppSec, and continue as deemed useful
  • Place this conversation in Web App Sec context (e.g., via OWASP top 10)
  • Hear Web App Sec ideas/concerns
Clone this wiki locally