- From: Natalie Cuthbert via GitHub <sysbot+gh@w3.org>
- Date: Thu, 05 Aug 2021 07:21:41 +0000
- To: public-webauthn@w3.org
Apologies @arshadnoor if I was a little unclear. The main thrust that I was trying to convey for our use case, was that we don't want to use FIDO for third party authentication (i.e. acting as an intermediary for the issuer and user), but rather to use it for first party authentication between Stitch and the user. Our challenge is that due to the nature of the payments business, there is a massive incentive for the payment service providers to be as unobtrusive as possible. We don't want to have to perform a redirect away from our customer's check out flow just to enrol a user, when the only time that the user world ever realistically interact with our systems is when making a payment. Concrete examples of the type of experiences that we'd like to innovate on include: ### Fast https://fast.co In the demo on their site, you can see that they give the user the option to pay or sign up for a Fast account from within a modal dialogue. This is still using the traditional username/password flow. We'd like to replace this with a passwordless approach and streamline enrollment to just a click. ### My Plaid and Plaid US https://my.plaid.com/ https://plaid.com/demo/?countryCode=US&language=en&product=transactions Plaid is a well known entity in the bank account data and account to account payment initiation space. Plaid Link (seen in the demo) is a single sign on for banks that for their customers is delivered as a modal overlay. This overlay is where users will interact with Plaid for the first time. My Plaid is a feature on their platform that allows end users to review and revoke permissions granted to various applications that use Plaid's platform for a user's set of bank accounts. What's unfortunate about My Plaid in my opinion is that it requires that users sign up for a My Plaid account, and then sign in to every other banking institution they use just to revoke access to an app. A much better experience would be to enrol the user's device using Web Authn, and then users can manage permissions based on bank accounts they've previously linked on the device, without the friction of having to create a whole new Plaid account just for the purpose. ### Ozow PIN https://ozow.com/why-ozow/ozow-pin/ Ozow is a payment initiation product that's quite popular in the South African market. It recently launched the Ozow PIN feature which allows users to quickly make payments without having to re-enter their banking credentials if they'd previously made a payment on their device by entering a PIN code optionally set after the first payment. To provide this functionality, Ozow makes use of cookies and local storage. This is probably the clearest example of where WebAuthn would be a fantastic substitute for this PIN functionality, providing both real security and experience improvements. -- GitHub Notification of comment by ncthbrt Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-893228279 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 5 August 2021 07:21:43 UTC