Skip to content

SPC Requirements Evaluation at Candidate Recommendation

ianbjacobs edited this page Jun 20, 2022 · 3 revisions

As part of preparing to advance Secure Payment Confirmation to Candidate Recommendation, we evaluate here how the specification fulfills (or does not) our requirements. Questions? public-payments-wg@w3.org.

Proposed Timeline:

  • 18 August: WPWG call to discuss going to CR
  • 18 August: Start Call for Consensus until 5 September
  • 12 September: WPWG meeting starts at TPAC

Satisfied Requirements

Feature Detection

  • It must be possible to determine through JavaScript feature detection whether a user agent supports SPC.
    • Achieved via canMakePayment for the payment method identifier 'secure-payment-confirmation'.

Web Context Support

  • It must be possible to call SPC from a Web site.
  • Because many checkout experiences are offered through iframes, it must be possible to call SPC from an iframe.
    • Both registration and authentication are possible in iframes, including cross-origin iframes.
  • SPC usage within an iframe must be enabled through a permission policy.

Registration

  • It must be possible to do an SPC Registration outside of a transaction.
  • It must be possible to do an SPC Registration following a prior (non-SPC) authentication during a transaction. This registration should not prevent timely completion of the transaction.
  • It is not a requirement that the relying party be able to do an SPC Registration in a third-party context. However, it could improve common payment flows if the relying party could register from a cross-origin iframe.
    • SPC supports registration from a cross-origin iframe.

Instrument Information at Registration

  • The Relying Party must not be required to provide definitive information about a specific instrument at registration time. In other words, the API supports dynamic binding to a specific instrument at authentication time. This feature renders unnecessary additional functionality to update browser-stored instrument information.
  • It is not a requirement that instrument information be stored in the browser as part of an SPC Registration.
    • SPC does not require instrument information to be stored in the browser at registration.
  • The protocol should support multiple ways of accessing the instrument display information, including browser storage and authenticator storage.
    • Instrument display information is passed as input to the API at authentication time.

Registration User Experience

Payment Confirmation

Origin Policies

  • Any origin (including the Relying Party) must be able to invoke SPC payment confirmation with the credential id(s) of the Relying Party.
    • This is one of the ways that SPC differs from Web Authentication.

Instrument Information at Payment Confirmation

  • Instrument information (e.g., a display string and icon) must be available for use within the payment confirmation user experience.
    • Instrument information (display strings and icon) is passed to the API at authentication time and is displayed by the transaction dialog.
  • The API must support accessibility and internationalization requirements associated with this information.
  • The party that calls the API must be able to provide instrument information as input. Note: The Relying Party is the authoritative source of instrument information. If another party provides conflicting instrument information as input to the API, the Relying Party can detect this during subsequent validation.
    • Instrument information (display strings and icon) is passed to the API at authentication time and is displayed by the transaction dialog.

Payment Confirmation User Experience

  • Each browser must natively support a payment confirmation user experience.
  • The user agent must require and consume at least one transient user activation in order to display an SPC user experience.
    • TO VERIFY
  • Although we anticipate that in most cases the browser will render the payment confirmation user experience, the protocol should support rendering by other entities (e.g., the operating system or authenticator or for out-of-band authentication). Note: This feature would address use cases that require particularly secure display of information.
    • The API does not constrain how and whether underlying authenticators display information passed to them.
  • The payment confirmation user experience must display instrument information such as label and icon.
  • The payment confirmation user experience must display amount and currency of the payment.
  • The party that invokes SPC must be able to specify a timeout for the payment confirmation user experience. See issue 67.
  • The payment confirmation user experience must include the origin of the top level where the API is called.
    • The API supports both payeeName and/or payeeOrigin and the transaction dialog displays whatever is provided.

Levels of User Interaction during Payment Confirmation

  • The API must support payment confirmation with two factor authentication (e.g., with FIDO user verification check).
    • SPC relies on Web Authentication for that functionality.
  • The API should support payment confirmation with one factor authentication with user presence check.
    • SPC relies on Web Authentication for that functionality.
  • The API should support payment confirmation with one factor authentication (possession) without user presence check.
    • SPC relies on Web Authentication for that functionality.

Cross-Browser Support

  • If the user did an SPC Registration when using one instance of a browser, it should be possible to leverage that authentication from a different instance of the same browser (e.g., both browsers are Firefox)
    • This is achieved via discoverable credentials. Furthermore, multi-device credentials may support sharing among browsers on different devices. *If the user did an SPC Registration when using one instance of a browser, it should be possible to leverage that authentication from any browser (e.g., one browser is Firefox and the other is Chrome). Note: Large Blob (WebAuthn Level 2) may be used to create portable stored data to reduce the total number of registrations.
    • This is achieved via discoverable credentials (on the same device).

SPC Credential Identifiers and Matching

  • It it left to the user agent how the user selects an authentication path when more than one matches the SPC Request. See issue 69 for discussion.
  • When the user agent has no information matching the SPC Request, for privacy reasons the browser may inform the user that the API has been invoked but failed. Note: Whoever might call the API can determine in advance that the user has never done an SPC Registration, and choose not to call the API.

SPC Assertions

  • The SPC Assertion must include at least: top level origin, caller origin, relying party origin (rpid), one-time challenge, instrument information, transaction amount and currency.
  • The SPC Assertion must include a signature over that data (based on the associated authenticator). This signature may be validated by the Relying Party or any other party with the appropriate key.

Lifecycle Management

Security and Privacy Considerations

FIDO Considerations

  • FIDO credentials should be usable for SPC activities and vice-versa, but the user agent must clearly communicate to the user how credentials are being used.
    • See issue 157 for how the WPWG is working with the FIDO CTAP group on a bit to identify cross-origin enabled credentials.

Requirements Still to Satisfy in Version 1

Lifecycle Management

  • The API should not make it impossible for the user to communicate to the relying party to forget SPC Credential Identifiers. This might happen in a variety of ways (e.g., forget this authenticator and all associated instruments; forget any authenticators associated with this instrument, etc.). See issue 172.

Requirements Not Expected to be Satisfied in Version 1

Web Context Support

  • It must be possible to call SPC from a payment handler.
    • Due to the initial implementation via Payment Request API, it is not possible to call SPC from a payment handler. However, there are very few deployed payment handlers, so the priority of this requirement is very low.

Registration

  • It must be possible to do an SPC Registration from a payment handler.
    • See note above on payment handlers.

Payment Confirmation

Payment Confirmation User Experience

  • The payment confirmation user experience should include the title and favicon of the page where it was called. See issue 48 on merchant information display.

Levels of User Interaction during Payment Confirmation

  • The API might at some point support payment confirmation with one factor authentication (possession) but without a visible dialog and without a user presence check.
  • The API should allow the relying party to express a preference for any of the supported levels of user interaction.
  • For each transaction, a merchant should be able to express to the relying party a preference to use (or not use) any of the supported levels of user interaction.
  • If the browser supports any relying party option less secure than two-factor, the browser must support a user preference to override that option and maintain two-factor authentication.

SPC Assertions

  • If different user journeys are possible for a given authenticator (e.g., a low friction option), the SPC Assertion must also include information about the user's journey. This information may be part of the authenticator's own assertion. For example, the assertion must indicate whether the user completed the transaction without a user presence check.

FIDO Considerations

  • SPC should support both platform and roaming authenticators. See issue 31 on discoverable credentials and issue 12 on roaming authenticator behaviors.
Clone this wiki locally