- From: =JeffH <Jeff.Hodges@Kingsmountain.com>
- Date: Fri, 6 Jul 2018 11:30:58 -0700
- To: W3C WebAuthn WG <public-webauthn@w3.org>
> Here are the notes that Ian Jacobs took during our phone call today > on the various WebAuthn/WebPayments/PSD2 Demos that folks have put > together, one feedback point is that the folks writing the demos, > found the WebAuthn specification hard to understand and without the > sample code from FireFox, Chrome or Edge it would have been > impossible/very hard > > http://www.w3.org/2018/06/21-auth-demo-minutes thanks for sending that. are those demos available anywhere for folks to see or try out? here's those minutes with inline questions... > W3C > - DRAFT - > SV_MEETING_TITLE > 21 Jun 2018 > Attendees > > Present > DannyRussell, Liam, Olivier, JonathanG, JohnFontana, Denis, Tony, adrianhb > Regrets > DaveTonge, zkoch > Chair > SV_MEETING_CHAIR > Scribe > Ian > > Contents > > Topics > introductions > Worldpay Demo > Worldline > Next steps > Summary of Action Items > Summary of Resolutions > > hi there > > <gildas> can't connect audio at that time > introductions > Worldpay Demo > > <scribe> ACTION: Ian to find out what feature detection to do for payment_handler > > <gildas> ont sure I will be able to join > > <gildas> not > > ok > > <gildas> very very sorry > > no worries. Any chance you can do a screencast yourself and share? > > Tony: I would agree Hello looks the best...would be great if the polyfill could work > ... we can use different auth technologies under the covers > > danny_russell: I like hello since does facial recognition but falls back to pin > ... I've kept 2-factor for USB key > > John: Should you get updated keys? > ... support for CTAP? > > danny_russell: The key works out of the box wonderfully, we debated whether PWD necessary > > IJ: Will there be PIN? > > John: Yes > > IJ: Which polyfill, Tony, would you be interested in? > > danny_russell: digital bazaar's > > IJ: Would this work in the ecosystem in practice (e.g., given regulation around storage of credentials)? > > Tony: I was wondering the same questions as Ian > ... Have you implemented other flows besides redirect? > ... embedded flow? > > Danny: OpenBanking is all about the redirect > ... I've also looked at the berlin group api > ... starling has a long-running auth > ... because I'm a trusted beneficiary simpler > > OlivierM: You need to be able to fall back to PIN if biometric doesn't work > > danny_russell: If we get an error, we fall back to SMS > > OlivierM: Regarding Yubico, how do you imagine bringing 2FA in solutions. > ... will keys support biometrics? > > John: We have not discounted biometric. > > Tony: You can also do PIN with Yubico devices > Worldline > > Olivier: We added a message to let people know they have registered a payment handler. We found it disturbing to have no feedback. > ... in our demo we use a hardware token > ... so we have a process of enrollment shown in the demo > ... step one (enrollment) took place on the banking web site > ... step two is the transaction > ... the demo shows password then hardware token > ... we combine PR API, PH API, and WebAuthN > > IJ: any hurdles you encountered? > > Olivier: No, not really > > TonY: Which browsers? > > Olivier: Just chrome > > danny_russell: Like the demo! > ... I found the web authn standard difficult to follow > ... I needed MS's samples > ... and FF's samples > ... and google's samples > ... I had to reverse engineer from the sample code Ok, so where are MS's, FF's, and Goog's sample webauthn code? we ought to consider using it to update/supplement the code examples we have in the webauthn spec What are these folks email addrs? we ought to tug their sleeves for more explicit feedback. > > Tony: Good feedback. We are getting ready to go to PR. > > danny_russell: A sequence diagram would have helped me ah ha! so this adds justification for addressing issue #24 <https://github.com/w3c/webauthn/issues/24> would be good to ask them for feedback on the available diagrams (see recent comments in issue #24) > ... those samples were really helpful to debug > ... webauthn is about splitting bit arrays, some are base64 encoded, etc. > ... so I needed to use debugging side-by-side etc anticipating this is the reason I did figure 3 -- sounds like we might need to add additional figure details.... > Olivier: I chatted with Liam who is muted due to World Cup ;) > ... Liam agrees that without sample code would have been difficult > > Tony: Good feedback for me and John > > IJ: what other payment methods are you looking to experiment with? > > Olivier: implementing wallets (paylib) > ... also wallets for belgium banks > ... tokenization and encryption > ... in this demo we wanted to illustrated how it would work for the bank to create a payment handler > ... how you enroll the customer as well > ... the first time this window pops up for users it can surprise users > ... want to avoid scaring pop-ups and surprising redirects > > danny_russell: I think the firefox messaging around web auth in the message bar was effective > > IJ: Chrome 68 will have payment handler and webauthn > > danny_russell: We have invoked basic card on Edge as well. > > adrianhb: Does chrome payment handler support include basic-card? > > Ian: I think so (based on Rouslan comment at some point) > > adrianhb: handlers can do webauthn and return a virtual card > > tony: In your webauthn demos you were pre-registered. > > adrianhb: The use case I'm interested in is the bank does auth and the bank is also issuer of a payment handler Ok, so in this case there are not cross-origin issues? did any of these folks run into cross-origin issues at all in concocting their demos? are there detailed descriptions of their webpymt & webauthn mashups? code? having their wmail addrs would be helpful! > tony: +1 > > Next steps > > Tony: I would like to understand some of the comments in more detail on spec usability +1 > ... all other comments on the APIs welcome (as we are in CR) > ... e.g., error conditions, etc. +1 > ... also want to look more into Edge demo to be able to do the web authn demo > ... possibly using polyfill > > danny_russell: I can force it with "If Edge" > > Tony: +1 > > IJ: I will look into feature detection for payment handler > ... I will also work on getting the video together > > AdrianHB: It would be great (with chair hat on) for people to publicize what can be done with these APIs > Summary of Action Items > [NEW] ACTION: Ian to find out what feature detection to do for payment_handler > > Summary of Resolutions > [End of minutes]
Received on Friday, 6 July 2018 18:42:26 UTC