Document End-User Guide

[maltfield]

This is a request to add documentation to this repo that is specifically written for an audience of end-users who want to use SCA for transaction authentication.

Problem

Currently this repo has plenty of documentation available that's specifically written for an audience of developers looking to implement SCA. That's great, but it's not very useful to someone who is trying to find a banking solution that uses SCA for transaction authentication.

The "Dynamic Linking" requirement of the PSD2 reduced the security for many EU banking customers because:

1. It meant that banks could no longer use TOTP as a 2FA solution for transaction auth and
2. In practice, it meant that almost all banks developed proprietary auth solutions (unauditable) and insecure OTP-by-SMS auth

Another stated design goal of SPC is that it's

designed with stronger privacy protections than risk analysis approaches that rely on data collection.

Personally, I came to this repo searching for a solution because these "risk analysis approaches that rely on data collection" have lead to me constantly being locked-out of my own banking accounts (false-positive fraud detection), even when I provide the correct authentication credentials on the first try.

Likewise, if you search the 'net for "PSD2" around the time SCA was first being enforced, there are numerous complaints from people being unable to process transactions because their banks started requiing OTPs for every transaction from SMS. This was essentially a DoS attack on their customs, as and many users simply didn't have cell phone signal at home

In general, lots of users have been suffering for years, and are seeking a secure, standardized way to do transaction auth. This repo aims to solve that, but there is no documentation for the end-user to figure out "ok, how do I use this?"

Solution

Documentation should be written that specifically targets end-users. It should answer the question "what do I need to do to use SCA for my transactions?" and answer the following questions:

1. What device (eg laptop, smartphone) do I need to have to support SPC?
2. What hardware token do I need to have to support SPC?
3. What software (& version) do I need to support SPC?
4. In order to use SPC, does the merchant or payee need to support it? If so, how do I know if the merchant supports SPC?
5. In order to use SPC, does my bank need to support it? If so, how do I know if the bank supports SPC?

[AbdoALPOP]

👋 Hey Michael,

I am interested in your task and available to start immediately.

I am experienced with Docusaurus.io, Nextra, Mkdocs, and markdown. I can provide you with a user-friendly guide.

Here are some of my live guides:

• Redstone
• RHQ
• WashMaster User Guide

I'm looking forward to hearing from you soon 😃 Contact me and let's get started.

[maltfield]

I think you can just get started in markdown or whatever format you prefer and submit it as a PR. Writing the documents isn't the hard part. Researching and knowing what to write is.

@AbdoALPOP can you start by enumerating a list of [a] all user-agents and [b] all hardware security keys that support WebAuthn SPC? Specifically, it should be noted what the minimum release version for these software & hardware products started supporting WebAuthn SPC.

[AbdoALPOP]

@maltfield Yes I can start. please send me your email to send a payment request to start this task.

[maltfield]

@AbdoALPOP GitHub is not a marketplace. I'm a volunteer contributor, and payment is not a consideration.

If you'd also like to volunteer, your contributions would be appreciated.

[ianbjacobs]

@maltfield,

We recently added documentation of SPC on MDN. Do you think that would make a good starting point? (That may be too developer-focused for what you have in mind.) Thanks!