Could cards be authenticators for SPC (or WebAuthn)?

w3c / secure-payment-confirmation

Secure Payment Confirmation (SPC)

https://w3c.github.io/secure-payment-confirmation/

Other

113 stars 40 forks source link

Could cards be authenticators for SPC (or WebAuthn)? #276

Open ianbjacobs opened 3 weeks ago

ianbjacobs commented 3 weeks ago

Issue #12 is about support in SPC for roaming authenticators. I have wondered whether cards could act as roaming authenticators, which means that a person could use a card for in-person payments, and also as a possession factor in a strong authentication flow.

RByers commented 3 weeks ago

I think this is a very interesting idea, thanks Ian! Whether through WebAuthn alone or through SPC, relying on a physical card to do the crypto verification has some appealing security and usability properties. It would also be possible to enrol the local device (WebAuthn/SPC/DBSC/etc.) after a card-based confirmation if desired by the issuer & user.

ianbjacobs commented 3 weeks ago

Or, it might be interesting in the "new device" flow:

User has already registered an SPC credential.
User authenticates for the first time on an unrecognized device where the passkey is available but there is not yet a browser-bound key.
User uses card somehow during ID&V flow, and new browser-bound key is recognized on subsequent transactions.