Double-authentication problem when BBK not available #315
Description
We came across an interesting case that may cause a double-authentication problem.
Let's assume multi-factor authentication (MFA) is required to authenticate the payment. Authentication with SPC, including both passkey credential and BBK credential, satisfies this requirement.
Now, the user creates a passkey on device A, and the browser generates BBK A. Then the passkey syncs to other user's device, say device B, which is not capable of handling BBKs. The reason may be:
- The version of the browser supports SPC, but not BBK yet.
- Device B does not have a TPM and therefore is not capable of handling cryptographic keys required by the browser to offer BBKs.
When the user checks out on device B, SPC gets triggered by the client. The user confirms the payment and authenticates with the passkey, but the assertion does not include the BBK. Because a passkey without BBK is not considered MFA, there are two options:
- Use third-party cookies, which may be restricted and may not be a reliable as device possession factor.
- Initiate another form of IDV that would satisfy the MFA requirement. In this scenario, the user would always be authenticated twice - first with SPC/passkey, and then with another MFA-compliant ID&V as fallback.
We'd like to discuss and address the issue mentioned above. Using the implementation based on the current SPC specification, these issues cannot be prevented. Some suggested paths to resolve it are:
- Introduce a method similar to PaymentRequest.securepaymentconfirmationavailability(), where the client could check if BBK is supported by the browser on a given device before triggering the SPC request.
- Add a new option to the SPC request specifying that BBK is required along with passkey authentication, so the browser would provide fallback UX without requesting passkey authentication when BBK is not available.
There is an issue #287 that refers to slightly different, but related problem.