[webauthn] FIDO + 3DS is a strange combination (#1579)

cyberphone has just created a new issue for https://github.com/w3c/webauthn:

== FIDO + 3DS is a strange combination ==
Based on private communication with several involved parties, Google, the FIDO Alliance, and the WebAuthn WG have apparently come to the conclusion that 3DS is FIDO's path for payments.  Before taking a final decision on that it might be worth looking into some relevant background information.

The current "gold standard" for payments in the physical world is EMV.   EMV offer a superior user experience, security and privacy compared to 3DS.  Adapting EMV for the Web is what the rest of the payment industry already have done although these solutions are entirely proprietary and usually only have a national scope.  In fact, even Google Pay uses an EMV-like scheme.

Why is FIDO + 3DS a strange combination? Well,

- 3DS is a "workaround" scheme created back in the 90'ties because client platforms offered essentially nothing to secure on-line payments.

- With FIDO + Browser-intrinsic payment SW this is no longer true.  If fact, such a platform could security- privacy- and usage-wise without doubt rival discrete EMV cards + payment terminals.

3DS requires users to handover their account number to merchants.  This seems to clash with the privacy ideas that were the foundation for FIDO.  3DS does not support account-to-account (A2A) based payments which is the current focus among banks in most countries.  The recently launched multi-billion Euro project known as the European Payment Initiative only intend to support A2A.
@christiaanbrand @equalsJeffH 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1579 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 1 March 2021 20:04:47 UTC