[webauthn] caBLE for Payments (#1681)

cyberphone has just created a new issue for https://github.com/w3c/webauthn:

== caBLE for Payments ==
This is just a F.Y.I.
https://www.emvco.com/emv_insights_post/what-are-the-emv-specifications

<table><tr><td><i>Consumers today expect their payment device to work anywhere in the world, whether they are paying face-to-face or online. This process must be familiar, convenient, secure and reliable for consumers and for businesses</i></td></tr></table>

Converted into practical terms it means that the device (a phone) provides an integrated payment experience regardless of payment scenario (mobile browser, desktop browser/phone, PoS/phone).  caBLE does not seem to be aligned with this goal.  Existing wallet providers will therefore most likely stick to QR code which covers the two latter use cases and do not depend on cloud service support. QR works great for FIDO based payments as well.

The security issues related to QR like vulnerability to phishing do not apply to payments because the merchant is usually cryptographically tied to the authorized data and must also pass through a payment intermediary vouching for the authenticity of the _registered_ merchant, making this kind of attack much less interesting.

 Note that the above does not relate to SPC since it is not targeting PoS payments or integrated payment experiences.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1681 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 9 November 2021 07:13:39 UTC