RE: WebAuthn/WebPayments/PSD2 Demos

The demo does not show payment request API, however. Gildas has reported a related issue to the Chrome team:  http://www.w3.org/2018/06/lyra-webauthpay.mp4


-----Original Message-----
From: =JeffH <Jeff.Hodges@Kingsmountain.com> 
Sent: Friday, July 6, 2018 11:31 AM
To: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: WebAuthn/WebPayments/PSD2 Demos

> Here are the notes that Ian Jacobs took during our phone call today on 
> the various WebAuthn/WebPayments/PSD2 Demos that folks have put 
> together, one feedback point is that the folks writing the demos, 
> found the WebAuthn specification hard to understand and without the 
> sample code from FireFox, Chrome or Edge it would have been 
> impossible/very hard >
 > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2018%2F06%2F21-auth-demo-minutes&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Cd82be15d82044118dc4008d5e37056a0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636664993998962792&amp;sdata=zQvjry5RrfZfdxOTfYFO%2BaU3dIKHftyqZ708cqMsp8k%3D&amp;reserved=0


thanks for sending that.

are those demos available anywhere for folks to see or try out?

  here's those minutes with inline questions...


 > W3C
 > - DRAFT -
 > SV_MEETING_TITLE
 > 21 Jun 2018
 > Attendees
 >
 > Present
 >     DannyRussell, Liam, Olivier, JonathanG, JohnFontana, Denis, Tony, 
adrianhb
 > Regrets
 >     DaveTonge, zkoch
 > Chair
 >     SV_MEETING_CHAIR
 > Scribe
 >     Ian
 >
 > Contents
 >
 >     Topics
 >         introductions
 >         Worldpay Demo
 >         Worldline
 >         Next steps
 >     Summary of Action Items
 >     Summary of Resolutions
 >
 > hi there
 >
 > <gildas> can't connect audio at that time  > introductions  > Worldpay Demo  >  > <scribe> ACTION: Ian to find out what feature detection to do for payment_handler  >  > <gildas> ont sure I will be able to join  >  > <gildas> not  >  > ok  >  > <gildas> very very sorry  >  > no worries. Any chance you can do a screencast yourself and share?
 >
 > Tony: I would agree Hello looks the best...would be great if the polyfill could work  > ... we can use different auth technologies under the covers  >  > danny_russell: I like hello since does facial recognition but falls back to pin  > ... I've kept 2-factor for USB key  >  > John: Should you get updated keys?
 > ... support for CTAP?
 >
 > danny_russell: The key works out of the box wonderfully, we debated whether PWD necessary  >  > IJ: Will there be PIN?
 >
 > John: Yes
 >
 > IJ: Which polyfill, Tony, would you be interested in?
 >
 > danny_russell: digital bazaar's
 >
 > IJ: Would this work in the ecosystem in practice (e.g., given regulation around storage of credentials)?
 >
 > Tony: I was wondering the same questions as Ian  > ... Have you implemented other flows besides redirect?
 > ... embedded flow?
 >
 > Danny: OpenBanking is all about the redirect  > ... I've also looked at the berlin group api  > ... starling has a long-running auth  > ... because I'm a trusted beneficiary simpler  >  > OlivierM: You need to be able to fall back to PIN if biometric doesn't work  >  > danny_russell: If we get an error, we fall back to SMS  >  > OlivierM: Regarding Yubico, how do you imagine bringing 2FA in solutions.
 > ... will keys support biometrics?
 >
 > John: We have not discounted biometric.
 >
 > Tony: You can also do PIN with Yubico devices  > Worldline  >  > Olivier: We added a message to let people know they have registered a payment handler. We found it disturbing to have no feedback.
 > ... in our demo we use a hardware token  > ... so we have a process of enrollment shown in the demo  > ... step one (enrollment) took place on the banking web site  > ... step two is the transaction  > ... the demo shows password then hardware token  > ... we combine PR API, PH API, and WebAuthN  >  > IJ: any hurdles you encountered?
 >
 > Olivier: No, not really
 >
 > TonY: Which browsers?
 >
 > Olivier: Just chrome
 >
 > danny_russell: Like the demo!
 > ... I found the web authn standard difficult to follow  > ... I needed MS's samples  > ... and FF's samples  > ... and google's samples  > ... I had to reverse engineer from the sample code

Ok, so where are MS's, FF's, and Goog's sample webauthn code? we ought to consider using it to update/supplement the code examples we have in the webauthn spec

What are these folks email addrs? we ought to tug their sleeves for more explicit feedback.


 >
 > Tony: Good feedback. We are getting ready to go to PR.
 >
 > danny_russell: A sequence diagram would have helped me

ah ha!  so this adds justification for addressing issue #24
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwebauthn%2Fissues%2F24&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Cd82be15d82044118dc4008d5e37056a0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636664993998962792&amp;sdata=fq2Tx2Gle4kWJD%2Fg54LOaCRM%2Bpdk%2B88QF3Wr36iZJfU%3D&amp;reserved=0>

would be good to ask them for feedback on the available diagrams (see 
recent comments in issue #24)


 > ... those samples were really helpful to debug
 > ... webauthn is about splitting bit arrays, some are base64 encoded, etc.
 > ... so I needed to use debugging side-by-side etc

anticipating this is the reason I did figure 3 -- sounds like we might 
need to add additional figure details....



 > Olivier: I chatted with Liam who is muted due to World Cup ;)
 > ... Liam agrees that without sample code would have been difficult
 >
 > Tony: Good feedback for me and John
 >
 > IJ: what other payment methods are you looking to experiment with?
 >
 > Olivier: implementing wallets (paylib)
 > ... also wallets for belgium banks
 > ... tokenization and encryption
 > ... in this demo we wanted to illustrated how it would work for the 
bank to create a payment handler
 > ... how you enroll the customer as well
 > ... the first time this window pops up for users it can surprise users
 > ... want to avoid scaring pop-ups and surprising redirects
 >
 > danny_russell: I think the firefox messaging around web auth in the 
message bar was effective
 >
 > IJ: Chrome 68 will have payment handler and webauthn
 >
 > danny_russell: We have invoked basic card on Edge as well.
 >
 > adrianhb: Does chrome payment handler support include basic-card?
 >
 > Ian: I think so (based on Rouslan comment at some point)
 >
 > adrianhb: handlers can do webauthn and return a virtual card
 >
 > tony: In your webauthn demos you were pre-registered.
 >
 > adrianhb: The use case I'm interested in is the bank does auth and 
the bank is also issuer of a payment handler

Ok, so in this case there are not cross-origin issues?  did any of these 
folks run into cross-origin issues at all in concocting their demos?

are there detailed descriptions of their webpymt & webauthn mashups? code?

having their wmail addrs would be helpful!




 > tony: +1
 >
 > Next steps
 >
 > Tony: I would like to understand some of the comments in more detail 
on spec usability

+1



 > ... all other comments on the APIs welcome (as we are in CR)
 > ... e.g., error conditions, etc.

+1


 > ... also want to look more into Edge demo to be able to do the web 
authn demo
 > ... possibly using polyfill
 >
 > danny_russell: I can force it with "If Edge"
 >
 > Tony: +1
 >
 > IJ: I will look into feature detection for payment handler
 > ... I will also work on getting the video together
 >
 > AdrianHB: It would be great (with chair hat on) for people to 
publicize what can be done with these APIs
 > Summary of Action Items
 > [NEW] ACTION: Ian to find out what feature detection to do for 
payment_handler
 >
 > Summary of Resolutions
 > [End of minutes]

Received on Friday, 6 July 2018 19:51:46 UTC