Re: [webauthn] WebAuthn and Web Payments -- Transaction Confirmation, 3DS2, SRC, etc. (#1396)

> This is the point, how secure is that on client's OS? How is it secured on OS api level? As long as that is not properly secured is not attractive in terms of risks analysis and cannot compete with out-of-band authorization (different channel).

You are right, _it is probably impossible to prove that a system is secure_.  Does that mean that transaction confirmation is useless? Not really, there is literally tons of documented data breach use cases and they show that real-world issues using mobile phone based SW stem from other weaknesses such as:
- servers exposing sensitive data on the Internet
- password phishing
- social engineering
- poor protocols

However, using OOB authorization is still a viable option and is practiced by many banks _but is usually only applied in the case a transaction request looks "suspicious"_.  That is, combining the best of two worlds.

More reading: https://cyberphone.github.io/doc/saturn/saturn-v3-presentation.pdf#page=13


-- 
GitHub Notification of comment by cyberphone
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1396#issuecomment-654639790 using your GitHub account

Received on Tuesday, 7 July 2020 06:53:42 UTC