Intent to Experiment: Secure Payment Confirmation V2

[Nick Burris]

Contact emails

rou...@chromium.org, nbu...@chromium.org, dan...@chromium.org

Explainer

https://github.com/rsolomakhin/secure-payment-confirmation

Design docs

https://bit.ly/secure-payment-confirmation

TAG review

https://github.com/w3ctag/design-reviews/issues/544

Summary

This is the second origin trial for Secure Payment Confirmation, with the primary goal of increasing enrollment rate from the first origin trial by enhancing the user experience. We’ve added a browser UI prompt to improve trust and understanding, and enabled the feature for iframes for a more seamless user flow and better developer ergonomics.

Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new PaymentCredential credential type to the Credential Management spec, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the proposed secure-payment-confirmation payment method.

Link to “Intent to Prototype” blink-dev discussion

Intent to Prototype: https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion

Intent to Experiment (v1):

https://groups.google.com/a/chromium.org/g/blink-dev/c/1P5bcoBw-II

Risks

Interoperability and Compatibility

This feature adds a WebAuthn credential type and PaymentRequest payment method type, so the interop risk is that other browsers do not implement these types.

Gecko: No signal

WebKit: No signal

Web developers: Positive

Positive signals from Stripe, which is interested in experimenting with the feature.

Goals for experimentation

This second experiment will allow us to validate the hypothesis that an improved enrollment experience will increase enrollment rates. The original experiment’s goal still stands, to prove the user benefit of the feature, and gather feedback on the API changes, consisting of the PaymentCredential type added to the credentials API, and the secure-payment-confirmation payment method added to the PaymentRequest API.

Experimental timeline

M91-M94

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No

We intend to experiment with Stripe on Mac and Windows to first prove the user benefit, and then extend the feature to all platforms, except WebView where PaymentRequest is not supported.

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/secure-payment-confirmation?label=master&label=experimental&aligned

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5702310124584960

This intent message was generated by Chrome Platform Status.

[Rouslan Solomakhin]

The plan for the origin trial is to run on the stable channel.

On Wed, Mar 3, 2021 at 4:59 AM Yuriy Ackermann <yu...@webauthn.works> wrote:

This is great news!

Question: M91, is that stable or canary build?

[Yuriy Ackermann]

This is great news!

Question: M91, is that stable or canary build?

On Wednesday, March 3, 2021 at 1:31:35 AM UTC+2 nbu...@chromium.org wrote:

[Yuriy Ackermann]

Great. Thx!

[yo...@yoav.ws]

LGTM

The experiment's goal seems worthwhile, and I like the fact you incorporated learnings from the first trial and are trying an improved approach, and that you're working closely with partners on this.

The 1 release gap between the trials also reduces the risk for burn-in from my perspective.

[Nick Burris]

Thanks! This origin trial is now live in M91 and registration is open here: https://developer.chrome.com/origintrials/#/view_trial/2735936773627576321

Nick

[Yuriy Ackermann]

Hey Nick. M91 Canary?

--

Yuriy Ackermann

Managing Director @ WebAuthn Works Limited 

FIDO, identity, security, bringing the end to the passwords

https://webauthn.works

[Nick Burris]

Yes, the trial is available starting in M91 which is currently in Canary/Dev channels. So the trial will be available in the stable channel when M91 is promoted to stable, scheduled for May 25th.

[Yuriy Ackermann]

Ok. Another noob question. What do I use the access code for?

[Nick Burris]

No problem :) My apologies, I should have linked to the Secure Payment Confirmation developer guide on how to get started with the feature. To answer your question specifically, the origin trial token allows you to enable the feature on your website, see the Origin Trials Developer Guide. If you're just looking to try the feature yourself, you can try it out using Chrome Canary on https://rsolomakhin.github.io/pr/spc/ (which is already enrolled in the origin trial).

Hope this helps!

Nick

[Rouslan Solomakhin]

Hi everyone,

This is an FYI that the partner feedback for this origin trial has resulted in a few API changes coming in M93, before the end of the origin trial. You can see the full list of API changes in the SPC: Upcoming Changes [July 2021] - PUBLIC doc.

We believe that updating the API shape in response to developer feedback matches closely with the spirit of origin trials. These changes have been communicated to the partners over other channels as well. Please let us know if you have any concerns.

Cheers,

Rouslan

[Rouslan Solomakhin]

Hello again,

Similar to the M93 update, the API has a few changes coming in M94. Please see SPC: Upcoming Changes in M94 [public].

These changes are within the timeline of the origin trial, have resulted from the origin trial feedback, and have been communicated to the known API adopters. We're making these changes because we continue to believe that updating the API shape in response to developer feedback matches closely with the spirit of origin trials. Please let us know if you have any questions or concerns.

Cheers,

Rouslan