- From: Ian Jacobs <ij@w3.org>
- Date: Thu, 8 Mar 2018 17:15:51 -0600
- To: kepeng.lkp@alibaba-inc.com, valerie.fenwick@intel.com
- Cc: "Telford-Reed, Nick" <Nick.Telford-Reed@worldpay.com>, Adrian Hope-Bailie <adrian@ripple.com>, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, public-web-security@w3.org
[This time adding the mailing list] Valerie, Kepeng, The topic of strong authentication has entered increasingly into the conversations of the Web Payments Working Group. Web Authentication [1], 3-D Secure 2 [2], and requirements under Europe’s Payment Services Directive (PSD) 2 have led me to wonder: what is the anticipated user experience with Web Authentication? The project of 3-D Secure 2 as I understand it is: risk analysis (using data collected about the merchant and user) with a goal of avoiding user interactions, complemented by explicit “step-up” to strong authentication from time to time. (The figure I have heard is that step up should happen around 5% of the time.) In short, 3DS2 takes a particular approach to the tradeoff between usability and security. Web Authentication has multiple goals and benefits, including simplifying user interactions (e.g., by not having to remember or type passwords). However, I don’t yet have a good understanding of the anticipated range of user experiences. For example: * Will I face 2-factor challenges most of the time? * In some scenarios (e.g., I just did 2-factor!) will Web sites use 1-factor authentication (e.g., cryptogram from my hardware token)? (Apologies: I don’t know enough about Web Authentication to know whether this sort of tailoring is feasible.) * In some scenarios (e.g., the user is visiting a familiar site and their device is on a familiar IP address), could the browser and Web site exchange information so that the Web site would be willing to use 1-factor authentication? (And what would the impact be on liability in the case of card payments?) * Are there other forms of session-based strong authentication that could enable similar periods of 1-factor authentication? or even 0-factor? * Are other forms of authentication caching emerging (cf FIDO + EMVCo work [3]). Will those be used on the Web? In short: how are the different players of the ecosystem planning to align to ensure sufficient usability of Web Authentication? Thank you, Ian Team Contact of the Web Payments WG [1] https://w3c.github.io/webauthn/ [2] https://www.emvco.com/emv-technologies/3d-secure/ [3] https://fidoalliance.org/fido-alliance-announces-new-authentication-specification-effort-with-emvco-to-bring-added-security-and-convenience-to-mobile-payments/ -- Ian Jacobs <ij@w3.org> https://www.w3.org/People/Jacobs/ Tel: +1 718 260 9447
Received on Thursday, 8 March 2018 23:16:02 UTC