-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving understanding of who is authenticating for whom #187
Comments
cc @stare893 |
I want to emphasize a point that is covered by Ian's post already (it's scenario 1a.ii), but is worth (imo) repeating: Today in WebAuthn L2, one can have The So despite having a different model (i.e., removing the need to embed Which doesn't mean we shouldn't make it clearer :). I do support a goal of better user understanding here. 1 Assuming the correct permission policy is set on the iframe, but that applies to SPC too. |
Some feedback I received regarding this question in a 3DS context:
|
Question for discussion: where is information about "on behalf of" stored? For example, could it be stored at the CTAP level and recorded at registration? Or should it be passed at authentication time? How does one get permission to authenticate "on behalf of" someone? Is a self-declaration sufficient? |
I guess it depends if there is any external construct that might regulate the entity doing the authenticating. Interestingly (well you can be the judge of that) there is currently a move in the UK open banking standards to ensure that any "on behalf of" style authentication is captured as part of the Authentication Request or somewhere in the authorisation flow (the jury is out on how - some options better than others).
Personally I think it would be good to allow flexibility in setting an "on behalf of" value in case the relevant information changes (e.g. change of domain name, etc). If a change required the credential to be re-minted that would be a foil to usability. Of course that wouldn't be a problem if the "on behalf of" information was mutable. |
Note that the assertion already allows the RP to determine the origin of the requester (see field "origin" in https://w3c.github.io/webauthn/#dictionary-client-data). Additionally the field "crossOrigin" is set if that differs from the RP ID. |
Discussed at 25 April meeting. One idea is to ping the URL at a well-known URL to get a preferred name. |
Note: This issue will also involve discussion with the Web Authentication WG.
I have heard several comments about potential user confusion about who is authentication for whom when using WebAuthn or SPC and multiple origins are involved.
Although it may not be the case for all payment systems, at least for now I am hearing that there are two main scenarios:
SPC enables decoupling of authentication ceremony from validation, so these are the main scenarios:
1a) Bank conducts ceremony with WebAuthn or SPC and validates assertion.
1b) PSP conducts ceremony with SPC in merchant.com and communicates via backend to Bank for validation.
2a) PSP conducts ceremony with WebAuthn or SPC in merchant.com and validates assertion. PSP and Bank can have a variety of agreements.
We can further clarify 1p and 3p scenarios:
1a.i) In 1p context, Bank conducts ceremony with WebAuthn or SPC and validates assertion.
1a.ii) In 3p context, Bank conducts ceremony with WebAuthn or SPC and validates assertion.
1b) In 3p context in merchant.com, PSP conducts ceremony with SPC and communicates via backend to Bank for validation.
2a) In 3p context in merchant.com, PSP conducts ceremony with WebAuthn or SPC and validates assertion. PSP and Bank can have a variety of agreements.
Note: I've not really heard speak of a redirect use case to the PSP 1p origin, so I don't list that here.
Today, there are two dialogs:
The question of this issue is: what would be most helpful to the user, and which dialog should display it?
For example:
1a.i) 1p on bank.com: "bank.com wants you to authenticate."
1a.ii) 3p in merchant.com: "bank.com wants you to authenticate."
1b) 3p in merchant.com: "psp.com, on behalf of bank.com, wants you to authenticate."
2a) 3p in merchant.com: "psp.com, on behalf of merchant.com, wants you to authenticate."
or perhaps: "psp.com and bank.com want you to authenticate."
Looking for guidance here. Thanks!
The text was updated successfully, but these errors were encountered: