A new web standard will add another layer of security to online payment services like Appl...
The World Wide Web Consortium is working to further secure online payments in browsers with a new technology that works alongside other payment services like Apple Pay, Google Pay, and more.
W3C announces a standard for secure online payments
Known as Secure Payment Confirmation (SPC), it allows various entities like merchants, banks, payment service providers, and card networks to reduce the obstacles associated with strong customer authentication (SCA) and generate cryptographic proof of user consent. These factors are crucial in meeting regulatory obligations such as Europe's Payment Services Directive (PSD2).
To address the increasing incidence of online payment fraud, Europe and other regions have initiated requirements for multifactor authentication in certain payment scenarios. While multi-factor authentication effectively reduces fraud, it also tends to create additional complexity during checkout, which can result in customers abandoning their shopping carts.
Secure Payment Confirmation
Secure Payment Confirmation introduces an additional layer of "user consent" on top of web authentication. During a transaction, SPC prompts the user to consent to the payment terms through a "transaction dialog" governed by the browser.
The transaction dialog lets a user review and confirm the transaction details. The user's FIDO authenticator signs the transaction details, allowing the bank or relevant entity to verify the authentication outcome cryptographically.
The cryptographic verification ensures that the user has indeed consented to the payment terms, as required by the Payment Services Directive 2 (PSD2), under the concept of "dynamic linking."
The Web Payments Working Group started the development of Secure Payment Confirmation in 2019 to meet the Strong Customer Authentication requirements while minimizing checkout difficulties. Stripe conducted a trial using an initial implementation of SPC, and in March 2020, it was observed that SPC authentication resulted in an 8% boost in conversions compared to one-time passcodes (OTP).
Additionally, the checkout process was three times faster with SPC authentication. SPC could extend beyond card payments and encompasses other payment ecosystems as well.
Currently, SPC is accessible on Chrome and Edge platforms across macOS, Windows, and Android, which doesn't include Apple's Safari browser. But as the Web Payments Working Group enters the Candidate Recommendation phase, efforts will be made to extend SPC implementation to other browsers and platforms.
Read on AppleInsider
Comments
The store passes me to the gateway where I input card details. Click OK, open my bank app and the authorisation is waiting for me there. Click OK and instantly the store confirms the transaction.
Fast and fluid.
On top of that I use a virtual card for online payments that I 'charge' right before the purchase with the required amount.
That card actually exists as a physical card too but with no printed number and a dynamic CVV.
Not all online purchases have to use this system. Amazon has the 'buy now' button and as soon as you hit that, everything goes through.
See also: https://en.wikipedia.org/wiki/World_Wide_Web_Consortium
It is not "owned" by Google or Microsoft, but Google, Microsoft and Apple are all members: https://www.w3.org/Consortium/Member/List
Apple tends to be more cautious with implementing new features into Safari. They do have a Technology Preview version of Safari, but it doesn't have any sign of SPC yet. Maybe the spec has been too raw to touch?
Whatever solution these people come up with had better not force me to need anything other than a password. I don't mind fingerprints and biometric access, but not ever computer has that. Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
It's clear though that you actually like 2FA and think it makes you much safer, and so you are trying to defend it. I hate 2FA and feel more vulnerable with it enabled, so I am clearly not going to be convinced by your support of it. I can only be thankful that Apple still allows me the freedom go find the tiny text link back door which allows me to escape the 2FA madness by keeping that horrid thing switched off.
Ironically, I have some accounts with ridiculously weak passwords and without 2FA. They are active and around twenty years old, and at this point they are 'open' to attack out of curiosity on my part.
I'm surprised they haven't been swiped but there you have it. Pure luck? Maybe.
Anything tied to Google, Huawei, Apple etc in an ID or financial sense has 2FA activated apart from other protections that are in place.
I think there's more risk of me getting locked out due to stupid 2FA than being hacked. I say that because I've been online since my 300 baud modem and dial-up BBS's back in the early 80's, and to this day I've never been hacked because I religiously use good passwords and maintain them well. I also don't visit places that expose me to potential hacks, and I don't foolishly click on links in emails. I'm pretty adept at spotting phishing attempts.
With silly 2FA, if you don't happen to have a device on which your 2FA code or confirmation can be done, you're out of luck. That restricts my freedom, and I dislike that tremendously. That is why I keep 2FA switched off. People who rely on 2FA can't imagine that to be safe, but I am here to say, it actually is. It's called good password management combined with strong passwords. I have the key passwords needed for access memorized, and the rest I can access online when needed, in a safe way.
In another post you claim that you "religiously use good passwords" but everything you're saying says that you don't, especially with claims that you have "ridiculously easy passwords" on accounts you don't care about.
Even though I have worked in IT security for a very long time I don't think you have to have my perspective before understanding that using simple, short, memorable, repeated (or slightly varied) passwords across so-called accounts you don't care about is a good idea. All my passwords are unique and they aren't doing things like changing an 'E' to a '3' which only makes it more complex for you to type (especially on a virtual keyboard) than it would be to crack.
PS: 2FA or not, all logins that use a password have the potential to lock you out, but you claim that you "refuse to use anything that might lock me out". Posting on this forum means that you are clearly don't do that, and I bet you don't even see how silly your claim is.