Improving understanding of who is authenticating for whom #187
Description
Note: This issue will also involve discussion with the Web Authentication WG.
I have heard several comments about potential user confusion about who is authentication for whom when using WebAuthn or SPC and multiple origins are involved.
Although it may not be the case for all payment systems, at least for now I am hearing that there are two main scenarios:
- Bank takes responsibility for authentication.
- Merchant takes responsibility for authentication ("delegation" by the Bank). The Merchant may implement may implement this through a Payment Service Provider (PSP).
SPC enables decoupling of authentication ceremony from validation, so these are the main scenarios:
- Bank takes responsibility
1a) Bank conducts ceremony with WebAuthn or SPC and validates assertion.
1b) PSP conducts ceremony with SPC in merchant.com and communicates via backend to Bank for validation. - Merchant takes responsibility
2a) PSP conducts ceremony with WebAuthn or SPC in merchant.com and validates assertion. PSP and Bank can have a variety of agreements.
We can further clarify 1p and 3p scenarios:
- Bank takes responsibility
1a.i) In 1p context, Bank conducts ceremony with WebAuthn or SPC and validates assertion.
1a.ii) In 3p context, Bank conducts ceremony with WebAuthn or SPC and validates assertion.
1b) In 3p context in merchant.com, PSP conducts ceremony with SPC and communicates via backend to Bank for validation. - Merchant takes responsibility
2a) In 3p context in merchant.com, PSP conducts ceremony with WebAuthn or SPC and validates assertion. PSP and Bank can have a variety of agreements.
Note: I've not really heard speak of a redirect use case to the PSP 1p origin, so I don't list that here.
Today, there are two dialogs:
- SPC: The (caller-claimed) merchant name and/or origin are displayed.
- WebAuthn/FIDO: System-computed relying party information is displayed.
The question of this issue is: what would be most helpful to the user, and which dialog should display it?
For example:
- Bank takes responsibility
1a.i) 1p on bank.com: "bank.com wants you to authenticate."
1a.ii) 3p in merchant.com: "bank.com wants you to authenticate."
1b) 3p in merchant.com: "psp.com, on behalf of bank.com, wants you to authenticate." - Merchant takes responsibility
2a) 3p in merchant.com: "psp.com, on behalf of merchant.com, wants you to authenticate."
or perhaps: "psp.com and bank.com want you to authenticate."
Looking for guidance here. Thanks!