Comments (6)
stephenmcgruer
commented on June 11, 2024
1
Given SPC is in some ways a special form of WebAuthn, I would be inclined to follow their lead: a timeout parameter that is a hint rather than an absolute (https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options). I must admit I don't know offhand their reasoning for having a timeout, so we should perhaps check that, but generally they're sensible folks that have thought about this much more than I have :D
from secure-payment-confirmation.
rsolomakhin
commented on June 11, 2024
1
PaymentRequest object has an abort() method that can be triggered from a window.setTimeout() call. Would that satisfy the requirements of the API users?
from secure-payment-confirmation.
SensibleWood
commented on June 11, 2024
Timeouts make sense to me regardless of what has gone before - in many payment scenarios there will be a fixed amount of time to complete a given operation such as confirmation for obvious reasons.
Moreover in most Webauthn scenarios the timeout will kick in so I'm wondering if it will be difficult to unpick that behaviour given we are overlaying Webauthn with Payment Request.
from secure-payment-confirmation.
ianbjacobs
commented on June 11, 2024
Do you have a particular scenario in mind?
Some questions:
-
It seems to me that an SPC transaction confirmation dialog timeout would be distinct from a FIDO timeout.
-
I suspect that there may be some regulatory requirements involving timeouts. For example, I see this [1]:
'Article 4(3)(d) of the Commission Delegated Regulation (EU) 2018/389 states that where Payment Service Providers (PSPs) apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366 “the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes”. '
I don't know whether SPC needs to be the locus of the timeout, but maybe it could be. And it sounds like being able to set a parameter to confirm with regulation would be useful. I wonder whether signing the parameter value would also be useful. Thus, there could be cryptographic evidence that an SPC assertion was generated within a specified time frame.
- Lastly, I don't know whether session time out would suffice to address the use case. In this case it would be worth mentioning in a future security and privacy consideration section.
[1] https://www.eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2018_4065
from secure-payment-confirmation.
ianbjacobs
commented on June 11, 2024
Short answer: I don't know.
It might well suffice when SPC is used within PR API.
But see also potential uses of SPC outside of PR API:
#65
from secure-payment-confirmation.
ianbjacobs
commented on June 11, 2024
Closing this because the API supports timeout:
https://w3c.github.io/secure-payment-confirmation/#dom-securepaymentconfirmationrequest-timeout
from secure-payment-confirmation.
Related Issues (20)
- Broken "Object" xref in § Set SPC Transaction Mode HOT 2
- language and direction metadata needed? HOT 6
- Error example contains a hardcoded string HOT 1
- Term 'monkey-patch' may not be inclusive? HOT 1
- `DOMString` for `payeeName` vs. `USVString` for other fields? HOT 1
- Add locale hint for browser UX
- Proposal: Remove User Activation requirement for authentication HOT 1
- Use lowercase values in enum HOT 11
- Register SPC-related WebAuthn extensions in IANA registry HOT 8
- Broken references in Secure Payment Confirmation
- Example of `locale` member HOT 3
- I18N problem with displayName unresolved? HOT 3
- [PING] Only allow triggering authentication from a foreground tab HOT 4
- Broken references in Secure Payment Confirmation
- Broken references in Secure Payment Confirmation
- Add Support for Cross-Device Authentication HOT 2
- Implementing a time out for fallback UX HOT 1
- How will new passkey providers impact SPC HOT 1
- Document End-User Guide HOT 5
- Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure-payment-confirmation.