Re: Question about anticipated user experience around strong authentication?

[This time adding the mailing list]

Valerie, Kepeng,

The topic of strong authentication has entered increasingly into the conversations of the Web Payments Working Group. 
Web Authentication [1], 3-D Secure 2 [2], and requirements under Europe’s Payment Services Directive (PSD) 2
have led me to wonder: what is the anticipated user experience with Web Authentication? 

The project of 3-D Secure 2 as I understand it is: risk analysis (using data collected about the merchant and user) with a
goal of avoiding user interactions, complemented by explicit “step-up” to strong authentication from time to time. (The figure
I have heard is that step up should happen around 5% of the time.) In short, 3DS2 takes a particular approach to the tradeoff
between usability and security.

Web Authentication has multiple goals and benefits, including simplifying user interactions (e.g., by not having to remember
or type passwords). However, I don’t yet have a good understanding of the anticipated range of user experiences. For example:

* Will I face 2-factor challenges most of the time?
* In some scenarios (e.g., I just did 2-factor!) will Web sites use 1-factor authentication (e.g., cryptogram from my hardware token)?
  (Apologies: I don’t know enough about Web Authentication to know whether this sort of tailoring is feasible.)
* In some scenarios (e.g., the user is visiting a familiar site and their device is on a familiar IP address), could the browser and 
  Web site exchange information so that the Web site would be willing to use 1-factor authentication? (And what would the impact
  be on liability in the case of card payments?)
* Are there other forms of session-based strong authentication that could enable similar periods of 1-factor authentication? or even
* Are other forms of authentication caching emerging (cf FIDO + EMVCo work [3]). Will those be used on the Web?

In short: how are the different players of the ecosystem planning to align to ensure sufficient usability of Web Authentication?

Thank you,

Team Contact of the Web Payments WG


Ian Jacobs <>
Tel: +1 718 260 9447

Received on Thursday, 8 March 2018 23:16:02 UTC