-
Notifications
You must be signed in to change notification settings - Fork 63
Authentication
This wiki is for discussion of approaches to integrating strong (multi-factor) authentication into payments flows. This wiki is for discussion purposes and does not represent consensus. Questions? Contact the Web Payments Working Group ([email protected]).
- In a variety of contexts (e.g., PSD2 in Europe, 3D-Secure from EMVCo), strong authentication plays an increasingly important role in payments flows.
- W3C is working with the FIDO Alliance on Web Authentication and discussing 3D-Secure with EMVCo. Non-standard approaches involve device fingerprinting (e.g., through JavaScript).
- The usual tensions between security, privacy, and usability are present in these approaches:
- Web Authentication supports a variety of strong assurances, but requires enrollment.
- Device fingerprinting (e.g., as envisioned by the 3D-Secure 2 specification) reduces user friction but involves sharing information about the user silently with third parties (issuing banks, in the case of 3-D Secure 2).
- Build shared understanding of authentication options and best practices.
- Determine whether new browser capabilities (e.g., a browser API to make user data available to authorized payment handlers with user consent) would offer better tradeoffs between security, privacy, and usability.
- Promote privacy-protecting practices.
Authentication for a transaction can use any of the mechanisms below, with preference to the order in which they are listed. If the most preferred method isn't available, then the next method can be tried, and so on.
- Web Authentication
- Token binding (see slide deck and piece by MS and intent to implement by Google)
- Device fingerprinting through a browser API (with user consent to authorized payment handlers)
- Device fingerprinting through JavaScript
Note: The value of these assurance signals may change over time based on how the ecosystem (and fraud) evolves.
- Under WebAuthn it is be possible to use a single device touch for 2-factor authentication (e.g., biometric and / or PIN-based user verification that represents both possession of a device and information about and / or knowledge of the user).
- Where it is necessary to use a password as part of 2-factor authentication, users can take advantage of the browser's password manager to reuse stored credentials. We should also look at the role of the Credential Management API here.
- Quesiton: What is the status of authentication caching discussions? (See FIDO & PSD2)
Currently, payment handlers have implemented a practice of "fingerprinting" users through their browsers to identify risk attributes for a transaction. From a browser perspective, this is an anti-pattern -- user agent fingerprinting breaches privacy in non-transparent ways and browsers are constantly looking for ways to prevent user agent fingerprinting.
Rather than continue the status quo of an arms race between browsers and payment handlers, the following is an attempt to establish a framework that works for both parties. It should be recognized that financial institutions frequently feed the "signals" from browsers into black-box machine learning algorithms (often operated by third parties, e.g., FireEye). There is no one signal that indicates risk and the resulting risk scores are constantly changing in real-time based on real-world conditions. Thus, a risk score cannot be performed by a browser and a browser can only serve to provide the signals back to the algorithms that have a more global perspective.
- Privacy enhancements
- One aspect of payment handler authorization is quality control by the payment method owner. For example, a payment method owner might use a payment method manifest to whitelist payment handlers that are authorized to invoke a device-data API. Payment handler authorization can thus be distributed to payment method owners.
- Another aspect of payment handler authorization is user consent. Users can explicitly consent to sharing some or all of a set of standardized data with a payment handler, and this can be done through a better and more consistent user experience. This is a more transparent approach than sharing data with unidentified parties (e.g., to issuing bank JavaScript embedded in a merchant site).
- User data related to payment would be sent to the party carrying out the payment on behalf of the user, rather than to the merchant.
- Developer benefits
- A standard API would lower the cost for developers of gathering the data, since they will not have to create and maintain JavaScript themselves.
- It can also potentially increase data reliability and consistency.
In addition, we should discuss a standard for privacy-protecting user confidence signals from the browser that could further enhance risk analysis capabilities.
- Payment handler receives control from browser via Payment Handler API.
- Payment handler invokes a method to request device data. The payment handler can request specific fields (or "all") from a standardized data set.
- Browser confirms payment handler is authorized to request data, returns data (or error). Browser may not return all the data that was requested for a variety of reasons (e.g., user chooses not to share a piece of information).
- Browser could encrypt data with public key. For example, if the browser knows who the issuing bank is, the browser could encrypt the data with the bank's public key.
- Clearly establish what different parties want
- Establish whether the cascade described above makes sense, is "complete," should be further developed. What do we need to do to make Web Authentication a success (e.g., demonstrating streamlined user experience).
- Identify gaps in those approaches and which working group or organization might work on what
- Get more browser vendor perspective
- Invite WebAppSec and TAG to a breakout session
- Debrief on Tuesday discussion with WebAppSec, and continue as deemed useful
- Place this conversation in Web App Sec context (e.g., via OWASP top 10)
- Hear Web App Sec ideas/concerns
Mailing list archives
Issues
- Secure Payment Confirmation
- Payment Request API
- Payment Method Identifiers
- Payment Handler API
- Payment Method Manifest
- General
- Tokenized Card
- 3DS
- SRC
Tests
Adoption
Previous Topics