design-reviews#675: Secure Payment Confirmation

#675: Secure Payment Confirmation - Part 2

Opened Sep 14, 2021

(Just realized that the OP is now out of date too and I don't have edit rights, so posting a new version here. Please feel free to request that I open a new issue if that's easier!)

I'm requesting a TAG review of Secure Payment Confirmaton.

Secure Payment Confirmation (SPC) is a proposed Web API to support streamlined authentication during a payment transaction. It is designed to scale authentication across merchants, to be used within a wide range of authentication protocols, and to produce cryptographic evidence that the user has confirmed transaction details.

SPC adds payment-specific capabilities atop WebAuthn and is designed with stronger privacy protections than risk analysis approaches that rely on data collection.

Explainer¹: https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md
Security and Privacy self-review²: https://github.com/w3c/secure-payment-confirmation/blob/main/security-privacy-questionnaire.md
GitHub repo (if you prefer feedback filed there): https://github.com/w3c/secure-payment-confirmation/
Primary contacts (and their relationship to the specification):
- Stephen McGruer (stephenmcgruer), Google Chrome
- Rouslan Solomakhin (rsolomakhin), Google Chrome
- Ian Jacobs (ianbjacobs), W3C
Organization/project driving the design:
- Web Payments WG
- Google
- Stripe
External status/issue trackers for this feature: https://chromestatus.com/feature/5702310124584960

Further details:

I have reviewed the TAG's Web Platform Design Principles
The group where the incubation/design work on this is being done (or is intended to be done in the future): Joint Task Force of Web Authentication and Web Payments Working Groups (no longer current)
The group where standardization of this work is intended to be done ("unknown" if not known):
- Web Payments Working Group
- WebAuthn Working Group (advisory)
Existing major pieces of multi-stakeholder review or discussion of this design:
Major unresolved issues with or opposition to this design: N/A
This work is being funded by: N/A

You should also know that... N/A

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

Originally posted by @stephenmcgruer in https://github.com/w3ctag/design-reviews/issues/544#issuecomment-904612762

Discussions

Discussed Sep 20, 2021 (See Github)

plenary

Comment by @webpki Sep 20, 2021 (See Github)

Editor’s Draft, 9 September 2021:

<table><tr><td><i> An additional benefit of this feature to Relying Parties is that they no longer need to build their own front-end experiences for authentication. Instead, payment service providers are likely to build them on behalf of merchants.</i></td></tr></table>

The latter has a technical explanation: due to its architectural origins (3DS and WebAuthn), SPC does in practice rather mandate outsourcing, except for a limited set of big merchants.

The root of this requirement is that SPC by design leaves everything related to payment instrument (e.g. card) discovery and selection as well as locating issuing bank, to the market to figure out, and in a provider specific way, as outlined in the draft's sample session:

<table><tr><td><i>The merchant communicates out-of-band with the issuing bank of the payment instrument (e.g., using another protocol).</i></td></td></table>

This differs from native mode mobile "wallets", which by design usually have quite modest (and unlike SPC, documented) requirements for merchant integration. This is due to the fact that these applications build on a uniform and integrated payment experience which also makes "backend" support straightforward. That is, these systems do not depend on OOB communication using another protocol. In fact, there is no interaction whatsoever with issuing banks during the user's part of a payment authorization process.

That Relying Parties (banks) are eager outsourcing the "front-end experiences" to third parties, is not a universal truth. Current offerings as well as high profile projects like the European Payments Initiative rather point in the opposite direction.

According to the draft, SPC is

<table><tr><td><i>...to be used within a wide range of authentication protocols</i></td></tr></table>

which does not easily translate into real-world terms, since no examples have been provided. Given that current systems are all over the map, it seems like a pretty bold statement as well.

Discussed Nov 8, 2021 (See Github)

Dan: what's the current status?

Hadley: can come back to this next week, need to dig in

Dan: I want to know the implementation status. Worked on in the Web Payment WG. Multiple orgs working on it. What are the real issues?

Peter: Chrome shows shipping in 95, no signal from firefox or safari

Dan: we could ask multistakeholder

Ken: Stripe etc have been testing this. As I understand, we have this 3D secure in europe, whenever I use my card it has to go through this other authentication thing with my bank, I have to auth with an app on my phone. ???? Webathn and FIDO will provide the same security and avoid all these extra steps ?????

Tess: of issues I raised, one was answered to my satisfaction. Not excited that they're leaving in the callback mechanism for the future, but raising that didn't change anything.

Peter: come back to this next week

Comment by @torgo Nov 8, 2021 (See Github)

@ianbjacobs @stephenmcgruer can you give us some info on implementations? Chrome status says no signals from Firefox or Webkit?

Comment by @ianbjacobs Nov 8, 2021 (See Github)

@torgo, I don't have any public signals yet from Webkit or Firefox. Still working on that and encouraged by recent TPAC discussions.

Comment by @cyberphone Nov 9, 2021 (See Github)

https://www.apple.com/apple-pay/ "And when you pay, your card numbers are never shared by Apple with merchants"

https://www.w3.org/TR/2021/WD-secure-payment-confirmation-20210831/ "However in order to obtain them from the Relying Party, the merchant already needs an as-strong identifier to give to the Relying Party (e.g., the credit card number)"

Comment by @cyberphone Nov 14, 2021 (See Github)

Chrome status says no signals from Firefox or Webkit?

The crucial part is rather getting banks involved since SPC depends on their cooperation. However, supporting SPC is likely to be a board level question since most banks already have deployed solutions for the only readily available use case, 3DS.

Comment by @ianbjacobs Nov 15, 2021 (See Github)

To correct a comment above, SPC does not depend on bank cooperation. SPC would most certainly benefit from bank cooperation, but SPC can be deployed in a variety of ways with a variety of benefits. In a given payment system there may be an "optimal" relying party (e.g., the bank for 3DS, or the card network for SRC). But there may be other relying parties (e.g., PSPs) given other rules and practices (e.g., delgation) in the ecosytem.

Comment by @stephenmcgruer Nov 15, 2021 (See Github)

@stephenmcgruer can you give us some info on implementations? Chrome status says no signals from Firefox or Webkit?

@torgo - As Ian noted, we have no public signals currently. You may already have seen this from Chromestatus, but here are the relevant request-for-comments:

Neither have replies. An engineer from Apple did attend the WPWG TPAC sessions and stated that SPC is interesting but that Apple has no opinion on it yet. (I can provide links to the minutes if you want.)

Discussed Dec 1, 2021 (See Github)

Hadley: looks early, mozilla and webkit haven't taken a stand

Ken: seems to be adding webauthn to payments.. assumption.. this is because eg in europe you have this 3D Secure and a lot of these could be delegated and use webauthn instead. The way I'm seeing this you use it the first time, do a payment then it uses a backchannel like 3DS to ask for credentials, whatever your bank or card is, but from that point it can register things and say use fingerprint in the future or something like that using webauthn. So in the future you just use yoru fingerprint r face to do 3DS. That is how I read it. Not really said in the explainer. What is a webauthn credential? Assume it's a fingerprint..

Hadley: proposed solution... says it builds on top of webauthn to add payment data

Ken: and to relax assumptin to allow api called in payment context.. I assume that means I can use my webauthn instaed of 3DS. Assume the way it works is I make a payment, goes to my bank or whoever, they have auth system like 3DS, they can say do you want to register with webauthn as well do you want to use that in future? and you can decide to do that on that device. But the text is very complicated..

Amy: I don't think I"m getting the same reading but I don't know it well... but we shouldn't be guessing what it means, explainer is not well written, not focussed on user needs

Hadley: the proposed solution is after you have registered with a given device and a given provider

Ken: I assume you do that on the first payment, and in the future just log in with your credentials. If I say yes it will register that on that device. A bit like how it works on native apps today.

Hadley: the 9 step process is what happens for any transaction after you've registered. That answers the question I had about the difference between registering and transactins after the registration. Be nice if they could explain the registration process

Ken: later it explains they're extending webauthn

Hadley: what else?

Ken: lots of improvements to explainer.. assumes you know about webauthn.. some examples of webauthn credentials. Generally I think it makes sense. Would make it more effortless to do payments. Today I have to sign in with this national ID.. open an app.. swipe... and people are using less secure things with phone numbers instead. Feature makes sense. Not sure if it's right with webauthn.. technicalities I don't know.

Hi, @ianbjacobs and @stephenmcgruer. We (@rhiaro, @kenchris and I) are looking at this in our [W3CTAG face-to-face](https://github.com/w3ctag/meetings/tree/gh-pages/2021/12-Madripoor). We are scrambling to follow the information flows in the explainer (perhaps a diagram would be a clear way to communicate this?), and to see how this works from a user's perspective (especially the registration process). Would it be possible to add those to the explainer? 

Also, it seems like the explainer assumes a strong familiarity with webauthn, which seems complicated in light of [the ongoing work with them](https://github.com/w3c/webauthn/issues/1667). It would help us a lot if you explain in plain English how you see those working together, again especially from the user's perspective. 

And finally, for our notes: we are reassured to see how much you're focused on privacy, based on the issues in your repo and the thorough Security and Privacy questionnaire responses. That's important in this area and we're pleased to see how much emphasis you are giving to it.

[issues rabbitholes]

https://github.com/w3c/secure-payment-confirmation/issues/128

https://github.com/w3c/webauthn/issues/1667

Hadley: did we review webathn?

Ken: 2015..... and 2020.. doesn't seem to have been deeply reviewed

Amy: I think there was a breakout about payments with Ian a while back that I wasn't in

Hadley: me neither

Comment by @hadleybeeman Dec 8, 2021 (See Github)

Hi, @ianbjacobs and @stephenmcgruer. We (@rhiaro, @kenchris and I) are looking at this in our W3CTAG face-to-face. We are scrambling to follow the information flows in the explainer (perhaps a diagram would be a clear way to communicate this?), and to see how this works from a user's perspective (especially the registration process). Would it be possible to address those in the explainer?

Also, it seems like the explainer assumes a strong familiarity with webauthn, which seems complicated in light of the ongoing work with them. It would help us a lot if you explain in plain English how you see those working together, again especially from the user's perspective.

And finally, for our notes: we are reassured to see how much you're focused on privacy, based on the issues in your repo and the thorough Security and Privacy questionnaire responses. That's important in this area and we're pleased to see how much emphasis you are giving to it.

Comment by @ianbjacobs Dec 8, 2021 (See Github)

Hi @hadleybeeman,

Seeking clarification: does the current diagram [1] need improvement?

The following videos from Adyen may also help illustrate user experiences: Registration: https://www.w3.org/2021/10/adyen-spc-reg.mov Authentication: https://www.w3.org/2021/10/adyen-spc-auth

(For more context on those videos and links to accessible descriptions, see [2].)

Regarding the relationship between SPC and Web Authentication, there are three main differences:

With Web Authentication, only the RP can use their own credentials. With SPC, other parties can initiate authentication ceremonies with those credentials as well, but with accompanying UX. This difference from Web Authentication is mentioned here in the spec: https://w3c.github.io/secure-payment-confirmation/#sctn-authentication
With Web Authentication, one can ask an authenticator to sign client data. With SPC, there is built-in support for signing transaction specific data, which is displayed by the native user experience. This is described here in the spec: https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary
Finally, with Web Authentication Level 2 it is not possible for an RP to create a credential in a cross-origin iframe. With SPC it is possible. We are in ongoing discussions with Web Authentication folks about whether that capability should be available generally within Web Authentication. Indeed, Web Authentication Level 2 allows create() in a cross-origin iframe following discussions about payments use cases.

From a user experience perspective, the authentication ceremony is the same (I believe) between Web Authentication and SPC. With SPC, there is a payment confirmation dialog that precedes the platform's authentication dialog.

I hope this helps; happy to join a call if that would be useful.

[1] https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md#proposed-solution-secure-payment-confirmation [2] https://www.w3.org/blog/wpwg/2021/11/08/tpac-recap-2021-edition/

Comment by @cyberphone Dec 20, 2021 (See Github)

@hadleybeeman

And finally, for our notes: we are reassured to see how much you're focused on privacy, based on the issues in your repo and the thorough Security and Privacy questionnaire responses. That's important in this area and we're pleased to see how much emphasis you are giving to it.

It is worth noting that the most obvious privacy object related to payments (card numbers), haven't been dealt with: https://github.com/w3ctag/design-reviews/issues/675#issuecomment-964273692 @wseltzer

Apple Pay and other state-of-the-art solutions which effectively are competing with SPC, do not have this problem since they build on another concept, that also brings many other improvements to the table including greatly reduced complexity. There are no technical hurdles adopting this time-proven concept by SPC.

Another side effect of not handling payment instrument data, is that SPC users must usually still carry their physical payment cards. For A2A payments which is what the banks in the EU target, this becomes a veritable showstopper since these systems doesn't come with cards.

Discussed Jan 31, 2022 (See Github)

reviewing Ian's last comment

Tess: [regarding some of the feedback on this issue] (speaking about pragmnatism)

Hadley: in discussions with the automotive wg we still pushed them to be more webby.

Tess: the working group has taken [the] feedback and agreed to disagree ...

Dan: Ok we need to review the videos and the spec links that he's provided.

[we will try to make headway at the plenary]

Discussed Feb 7, 2022 (See Github)

[everyone watches videos: registration, authentication]

Dan: it's a seperate flow from webauthn even though from end user perspective they might be seeing similar kind of UI. Have we answered the question - is information being transmitted to the website that discloses something about the authentication capabilities of the client during this transaction? Ian is saying with web authentication only the RP... can the website tell something about which authn mechanisms exist on the client in a way they can't do in a webauthn session?

Hi @ian - it's not clear to me if the web site (or another party) would, in the context of this transaction, be privy to information about the authentication mechanisms on the client which might give them more info about the end user than the user would expect to be sharing?  For example - would the web site know that a biometric dialog had been shown to the user?  What if the user chose to dismiss that dialog and opt for another authentication mechanism?  In other words - they click "cancel" on this dialog box?  Would the web site be able to detect that?

Rossen: good question. I hope the answer is no the website doesn't learn anything other than if the transaction completed or not.

Peter: 3 parties - user, web site, bank... What about the Payment Service Provider - and an API... web site always uses an API to the PSP... I never talk to the bank. Like Stripe. I have an account with them - i give them the CC info and PSP handles the interation with the actual bank.

Rossen: that's the equiv of you working with the bank directly... where the middleman comes into play is they create a one to many relationship. From the PoV of you being hte web site author - whether is is PayPal or BofA - it's the same thing.

Peter: concern is - the way it works is that I register a public/private key pair with my bank as a consumer.

Rossen: which you have given to paypal...

Peter: I go to web site - they don't talk to my bank... they talk to paypal. is there a backchannel...

Hadley: PSPs are higher liability transaction providers...

Peter: one would presume the existing flow of dealing with a PSP - this would be the same. PSP should be able to talk to the bank ... Don't see it described anywhere.

Rossen: from my recollection - i'm convinced the range of parties are involved.

Peter: i want to talk to one payment processor. Comment from Ian that it doesn't depend on bank collaboration. Do I have to register with e.g. Stripe or Paypal?

Peter: [posts question]

Hadley: standardized payment method identifiers... behaves - you as merchant you need to have the URL to the payment provider that the purchaser intends to use...

Dan: that might be accomplished in a js library you bring down from stripe?

Peter: as a website developer I have refused to use js libraries that payment processors have asked me to use becuase they contain other things like unsanctioned tracking. So I don't want them to have to grab the whole bundle and let them run whatever code they like

Hadley: this is an important issue and we do need to go down this rabbithole. Do we want to open another issue for this? Wnat to make sure we can give it its full due.

Rossen: I agree. If we start it as part of this issue then fork it into a broader scope issue that will end up in their github repo that will give us better visibility to drive it.

Comment by @torgo Feb 7, 2022 (See Github)

Hi @ianbjacobs – it's not clear to me if the web site (or another party) would, in the context of this transaction, be privy to information about the authentication mechanisms on the client which might give them more info about the end user than the user would expect to be sharing? For example - would the web site know that a biometric dialog had been shown to the user? What if the user chose to dismiss that dialog and opt for another authentication mechanism? In other words - they click "cancel" on the dialog box below? Would the web site be able to detect that?

Comment by @ianbjacobs Feb 7, 2022 (See Github)

Hi @torgo,

The specification speaks to this: https://w3c.github.io/secure-payment-confirmation/#sctn-privacy-probing-credential-ids

Specifically:

"Implementors of Secure Payment Confirmation must make sure not to enable malicious callers (who now may not even be the Relying Party) to distinguish between these cases: (1) A credential is not available. (2) A credential is available, but the user does not consent to use it."

I think that speaks to your question about detectable "cancel." Let me know if I have not. Thanks!

Ian

Comment by @plinss Feb 10, 2022 (See Github)

I expect this is likely covered somewhere, but I'm missing it. The spec/explainer talks mostly about the merchant, customer, and account provider, and only briefly mentions payment processors.

When I've built e-commerce sites, I've always interfaced directly with a single payment processor, and never directly with an account provider. I believe this approach to be very common (at least in the US) and want to make sure that this has little friction both for the user and developer.

As a customer, I'm fine with registering an authentication mechanism with my account provider (either the bank directly or the credit card company). If the site I'm trying to make a purchase at is using a payment processor, will the payment processor be able to contact the account provider to authenticate me (I accept the back-channel communication is likely outside the scope of the spec) or will the site need to talk directly to the account provider? or will I as a customer need to re-register my authentication mechanism with the payment provider? (and presumable every new payment processor I encounter?)

Comment by @ianbjacobs Feb 10, 2022 (See Github)

Hi @plinss,

I talked about this topic a bit in a blog post: https://www.w3.org/blog/wpwg/2021/10/06/spc-design-choices-for-flexibility-and-scale/

In short:

In practice we are likely to see a variety of solutions with different relying parties.
Solutions where the account provider is the relying party are likely to most closely approach "register once, reuse credentials easily everywhere." We certainly hope to support that model but it might require time for service providers to integrate SPC into their solutions.
In the Stripe and Adyen pilots, on the other hand, the PSP is the relying party. The user registers credentials with the PSP and the PSP uses SPC at transaction time. How the PSP then works with the account provider regarding risk assessment is outside the scope of SPC. EMVCo and FIDO have published, for example, a paper on leveraging FIDO authentication in a delegated model: https://fidoalliance.org/technical-note-fido-authentication-and-emv-3-d-secure-using-fido-for-payment-authentication/

Thus:

In the "issuing bank is the relying party" model there should be one registration and lots of reuse.
In the "delegated to the PSP model" there should be one registration per PSP, and the PSP would communicate with account provider.

I hope that helps,

Ian

Comment by @cyberphone Feb 11, 2022 (See Github)

It is worth pointing out that the model (apparently) used in the Stripe and Adyen pilots effectively make them issuers of cloned payment credentials. It would be interesting to know how this cloning is performed in order to achieve the necessary binding between the payer and his/her bank account. AFAIK, delegated authentication requires a contractual arrangement as well.

As a (European) user of 3D Secure since more 10 years back, I have yet to encounter an e-commerce site where the bank has been taken out of the equation. My current banks (one in France and one Sweden), use their respectively mobile banking app for the authentication/authorization step. According to the European banking regulator, over 90% of the banks have deployed SCA (Strong Customer Authentication).

There is also a bunch of systems out there including Apple Pay, which build on concepts that have virtually nothing in common with 3D Secure and SPC. The differences affect core issues including UX, privacy, and last but not least, backend integration.

Discussed Feb 14, 2022 (See Github)

Peter: I'm satisfied with Ian's response. Concerned about how it will evolve, but they're on the right path to evolve in the right direction. Depends how fast banks and payment processes catch up and that industry is slow, but they're doing what they need to do.

Dan: Ian responded in the affirmative to my privacy related question. I think that wraps this up and we should [close]

Rossen: and the conversation between Ian and cypherphone?

Dan: it's a conversation for them to manage..

Rossen: that it will carry on in the respective WG

Dan: Proposed closing comment:

Hi @ianbjacobs - thanks for all the great responses and engagement. The TAG is happy to close this review positively. 
I hope our feedback has been useful. I hope that further conversation on the additional issues raised here can be carried 
on in the appropriate working group forum.

closed

Comment by @ianbjacobs Feb 14, 2022 (See Github)

@cyberphone,

I don't know what "cloned" means. The Adyen experiment involves a delegation agreement. SPC can (presumably) be used in that scenario. SPC can also be used in non-delegation ceremonies.
I don't know what you mean when you say "the bank is taken out of the equation." The delegation agreements that I understand to be part of the Adyen experiment presumably involved all the parties that need to be part of the process.

Your discussion of "a bunch of systems" does not seem directly relevant to SPC.

Comment by @torgo Feb 14, 2022 (See Github)

Hi @ianbjacobs - thanks for all the great responses and engagement. The TAG is happy to close this review positively. I hope our feedback has been useful. I hope that further conversation on the additional issues raised here can be carried on in the appropriate working group forum.

Comment by @ianbjacobs Feb 14, 2022 (See Github)

Hi @torgo,

Many thanks to all of the TAG for the thoughtful review. We will continue to work through issues, horizontal review, and cross-browser support.

Ian

Comment by @cyberphone Feb 18, 2022 (See Github)

@ianbjacobs

Delegated authentication probably requires having a copy of card data. Copying and "cloning" are often used interchangeably.
With "taking the bank out of the equation" I simply meant that the bank is not directly involved in the authentication process.<br>https://www.w3.org/2022/02/16-wpwg-minutes<br>Herve: In some cases, people already have 2-factor mechanisms and don't want to implement a new architecture

It is a pity that nobody have bothered describing the delegation concept in more detail.