Re: [webauthn] Transaction Authorization provides a simple and effective method to implement the PSD2 Dynamic Linking requirement. (#1396)

It is not a generic TxConf solution but I've been iterating on a proposal to use a combination of the Web Payments APIs and WebAuthn to at least solve this for payment authorization:

https://github.com/w3c/webauthn-pay/blob/gh-pages/proposals/pr-webauthn-txconf.md

It's still light on detail but I would like to flesh this out in collaboration with WebAuthn folks if there is interest.

My proposal assumes that the RP is the entity that holds the account of the user (or a trusted partner thereof). i.e. In the card world this would be the issuer, in PSD2-land this might be a PISP or an ASPSP.

It also assumes that the RP has installed a Payment Handler (a Service Worker that can respond to Payment Requests) in the user's browser.

It's possible that we find a "lite" Payment Handler model whereby the RP simply registers during WebAuthn enrollment flow that the credential being created can be used to authorise payments.

The goal is that when the website invokes Payment Request API the user can select the RP as the Payment Handler and instead of the Payment Handler needing to render UI the browser displays the payment details to the user as part of a WebAuthn Transaction Confirmation screen.

In this case, the data (amount, currency, payee origin) displayed is well structured (i.e. not "arbitrary strings") so should alleviate this concern at least.

-- 
GitHub Notification of comment by adrianhopebailie
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1396#issuecomment-614687927 using your GitHub account

Received on Thursday, 16 April 2020 14:27:42 UTC