Re: [webauthn] Cross origin authentication without iframes (#1667)

@emlun wrote:
>I'm sure there are lots of problems and incompatibilities here, as I know very little of how payment systems work. One clear drawback is that this would require a whole protocol on its own for the browser<->bank communications, with all the inertia that entails. But has something along these lines been considered?

The only thing that has been considered is adopting the Google/Stripe pilot as the foundation for a thing that now are just days from becoming public draft.  SPC is effectively W3C's last chance _in a very long_ time creating a useful Web based addition to the payment landscape.  My analysis (FWIW) indicates that SPC will not prevail:
https://github.com/cyberphone/doc/blob/gh-pages/payments/review-secure-payment-confirmation.md#external-review-googlew3c-secure-payment-confirmation-spc

That SPC does not (_unlike just about every other payment method in existence_), present itself as a branded icon in checkout pages reveals a limited understanding of commercial and marketing realities.  The conveners are probably counting on that Stripe and their likes will market SPC but they won't.  SPC is just a feature in a long list of methods supported by proprietary "checkout APIs".

IMO any alternative work should start by asking the question: What problems do the existing on-line payments methods suffer from and is there something we could do about this?  If that question only returns increased security, there is nothing to do because that's not enough to move this very slow market.  Put in other words: a useful solution should also function as an "enabler" that should be attractive for consumers, merchants, and banks.  Since none of these parties are active in public standardization efforts this comes with certain challenges 😎

@stephenmcgruer @christiaanbrand 


-- 
GitHub Notification of comment by cyberphone
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-909851158 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 1 September 2021 03:45:48 UTC