Re: Question about anticipated user experience around strong authentication? from Ian Jacobs on 2018-03-08 (public-web-security@w3.org from March 2018)

From: Ian Jacobs <ij@w3.org>
Date: Thu, 8 Mar 2018 17:15:51 -0600
To: kepeng.lkp@alibaba-inc.com, valerie.fenwick@intel.com
Cc: "Telford-Reed, Nick" <Nick.Telford-Reed@worldpay.com>, Adrian Hope-Bailie <adrian@ripple.com>, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, public-web-security@w3.org
Message-Id: <4EC838FB-A477-4FBB-BB9A-8591038CB1FE@w3.org>

[This time adding the mailing list]

Valerie, Kepeng,

The topic of strong authentication has entered increasingly into the conversations of the Web Payments Working Group. 
Web Authentication [1], 3-D Secure 2 [2], and requirements under Europe’s Payment Services Directive (PSD) 2
have led me to wonder: what is the anticipated user experience with Web Authentication? 

The project of 3-D Secure 2 as I understand it is: risk analysis (using data collected about the merchant and user) with a
goal of avoiding user interactions, complemented by explicit “step-up” to strong authentication from time to time. (The figure
I have heard is that step up should happen around 5% of the time.) In short, 3DS2 takes a particular approach to the tradeoff
between usability and security.

Web Authentication has multiple goals and benefits, including simplifying user interactions (e.g., by not having to remember
or type passwords). However, I don’t yet have a good understanding of the anticipated range of user experiences. For example:

* Will I face 2-factor challenges most of the time?
* In some scenarios (e.g., I just did 2-factor!) will Web sites use 1-factor authentication (e.g., cryptogram from my hardware token)?
  (Apologies: I don’t know enough about Web Authentication to know whether this sort of tailoring is feasible.)
* In some scenarios (e.g., the user is visiting a familiar site and their device is on a familiar IP address), could the browser and 
  Web site exchange information so that the Web site would be willing to use 1-factor authentication? (And what would the impact
  be on liability in the case of card payments?)
* Are there other forms of session-based strong authentication that could enable similar periods of 1-factor authentication? or even
   0-factor?
* Are other forms of authentication caching emerging (cf FIDO + EMVCo work [3]). Will those be used on the Web?

In short: how are the different players of the ecosystem planning to align to ensure sufficient usability of Web Authentication?

Thank you,

Ian 
Team Contact of the Web Payments WG

[1] https://w3c.github.io/webauthn/
[2] https://www.emvco.com/emv-technologies/3d-secure/
[3] https://fidoalliance.org/fido-alliance-announces-new-authentication-specification-effort-with-emvco-to-bring-added-security-and-convenience-to-mobile-payments/

--
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 718 260 9447

Received on Thursday, 8 March 2018 23:16:02 UTC