Support WebOTP API and origin-bound one time code in cross-origin iframes

[yi-gu]

HIQaH! QaH! TAG!

I'm requesting a TAG review of supporting WebOTP API and origin-bound one time code in cross-origin iframes.

The WebOTP API gives developers the ability to programmatically read one time codes from specially-formatted SMSes addressed to their origin to reduce user friction. The origin-bound one time code format is supported in Chrome and Safari. WebOTP API is supported in Chrome (TAG review, I2S).

In the initial launch of the API, we deliberately ignored the cross-origin iframe support. Post launch, we are trying to add such support to address feature requests from the web developer community (e.g. Shopify, iCloud) and improve interoperability.

Links for the general WebOTP API:

• Explainer¹ of the general WebOTP API: url
• Specification URL: WebOTP API, sms-one-time-codes
• Security and Privacy self-review² for the general WebOTP API: url

Links for cross-origin support:

• Chrome implementation design doc
• Key pieces of existing multi-stakeholder review or discussion of this specification: Third-party authentication / nested iframes WICG/sms-one-time-codes#4
• GitHub repo: url
• Tests: wpt
• Primary contacts (and their relationship to the specification):
  • @samuelgoto (editor, Google) @hober@(Editor, Apple), @yi-gu (Chrome implementation), @erynofwales (Safari implementation)
• Organization(s)/project(s) driving the specification: Google, Apple

Further details:

• I have reviewed the TAG's API Design Principles
• Relevant time constraints or deadlines: We like to ship this in Chrome M90
• The group where the work on this specification is currently being done: WICG
• The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue):

You should also know that...

The implication of the proposed modification:

• Developers need to send SMS that complies with the updated format for cross-origin usage
  • Agreed format

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

[torgo]

We discussed briefly in our call today and we think we may be able to close this off this week. Will revisit in the plenary call.

[kenchris]

This looks good to us, it is a small delta, the right people have been involved and the double keying looks like the right solution to us! Thanks for bringing this to the TAG!

[samuelgoto]

Neat! Thanks all!!