Comments (4)
This almost seems like an ask for clients to support combining the "webauthn"
token in the autocomplete
attribute with more payment-related tokens like these:
- "cc-name"
- "cc-given-name"
- "cc-additional-name"
- "cc-family-name"
- "cc-number"
- "cc-exp"
- "cc-exp-month"
- "cc-exp-year"
- "cc-csc"
- "cc-type"
Is there an implicit assumption that SPC is being leveraged in payment flows like the ones identified in the OP? Or do we not need to consider that in here?
from webauthn.
Not quite. In our case the credit card entry field is quite a bit later in the UX flow than where we'd like to invoke the conditional mediation.
So firstly, the user lands on a welcome splash screen. Then after clicking next, they are presented with a multiple selection of all the available payment methods:
- Credit Card
- Bank Credentials (instant EFT)
- QR Code
- etc
Some of these also have further nested selections, like bank credentials allows you to pick which bank you want to pay with.
We want to invoke webauthn right at the splash screen, before the user has even selected one of those payment methods and selected a text box. Otherwise it's a sub-optimal UX if the user has a credit card saved for example, but they forgot about it, and so they return, select "Bank Credentials", then select their bank, then select the username field to provide their bank credentials, and only then do they get the suggestion to auth with webauthn, which then redirects them back to the method selection, except this time with their saved credit card listed.
from webauthn.
However, I will add that user agents supporting webauthn autofill in CC fields and similar also definitely would be helpful and is a good idea in its own right.
Also to answer your other question, in our case we are not looking to use Secure Payment Confirmation, no, as device support is not yet there, and we want the portability and usability of passkeys (which AFAIK are not usable with the payment extension, although I certainly could be wrong?)
from webauthn.
The challenge with this is that it may prevent users from using a passkey from another device (security key or phone), and while that may not be important for your payments use case, it would impact traditional sign in flows.
I think the idea is worth exploring, but I think we should defer discussions to L4 based on existing work items and priorities.
/cc @nadalin
from webauthn.
Related Issues (20)
- Authenticator data flags reserved bits must be 0 or the figures would ideally be changed HOT 5
- ยง6.1. Steps to generate authenticator data should include BE and BS flags HOT 3
- Make AuthenticatorAttestationResponseJSON.publicKeyAlgorithm a long HOT 2
- Make PublicKeyCredentialRequestOptions.rpId a DOMString HOT 3
- Provide a mechanism to indicate backend registration success or failure HOT 8
- Empty strings are not valid RFC 8266 Nicknames HOT 2
- Remove the UVM extension from WebAuthn L3 (potentially) HOT 5
- Resident key removal HOT 1
- Support for WebDriver BiDi HOT 2
- supplementalPubKeys attestation incompatible with most verification procedures
- Does WebAuthn supports User-Verifying Roaming Authenticators HOT 4
- How does First-factor roaming authenticator registration happens with RP (involving client) HOT 2
- CredentialCreationOptions/mediation not yet defined in CredMan HOT 1
- Authenticator Attestation Response's [[transports]] should be an attribute rather than an internal slot. HOT 4
- Align the order of fields in PublicKeyCredentialDescriptorJSON with PublicKeyCredentialDescriptor HOT 2
- Dictionary members should be ordered lexicographically per Web IDL Standard HOT 3
- Add support for hinting at verbiage other than "sign in" during authentication HOT 5
- Add support for IDNs and display domain names in Unicode for a more user friendly UX HOT 4
- Add examples for PRF extension HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.