- From: Natalie Cuthbert via GitHub <sysbot+gh@w3.org>
- Date: Wed, 04 Aug 2021 20:21:02 +0000
- To: public-webauthn@w3.org
I suppose the way I see it is we do consider our use case one which would fit a two party protocol. End users essentially have the option to register with us (acting as a payment processor) the first time they make a payment on a given device. That this just happens to be in the context of an iframe seems pretty tangential. To make this more concrete, we'd like to be able to offer the following: 1. Allow the user to sign in to one or more institutions from their device. This typically entails entering credentials and completing some sort of out of band MFA. Note: Storing these credentials is NOT what we we want to use the WebAuthn API for. 2. Give the user the option to enroll their device with Stitch (or Stripe, Braintree, Fast etc), as part of an embedded payment flow. Note: This is the part that we'd like to use it Web Authn for, and in this case the two parties are the user, and Stitch. 3. Subsequent payments could then follow a more streamlined flow with lower risk if enrolled as we have already verified the device with that set of credentials once. This streamlining is discretionary, based on risk models on the PSP's side. The actual underlying payment mechanisms are IMO a separate concern to authenticating the device. The "issuers" that you mentioned are ones that would unlikely see widespread adoption of Web Authn, or even protocols like FAPI/OpenID Connect/OAuth 2.0 in the markets we operate in (Africa) in the next decade. It is simply not a priority for the banks, while it is the payment processors who really have the incentives to drive innovation and security/privacy practises in the market. In essence we want to improve the security and experience of the real world ecosystem we operate in by adding extra controls, above and beyond what the banks already provide. -- GitHub Notification of comment by ncthbrt Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-892947625 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 4 August 2021 20:21:04 UTC