[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth

[Anders Rundgren]

On 2020-07-26 18:38, Torsten Lodderstedt wrote:
> 
> 
>> On 26. Jul 2020, at 18:21, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
>>
>> On 2020-07-26 17:52, Torsten Lodderstedt wrote:
>> <snip>
>>>>
>>>> My turn for a question: do you think FAPI/OBIE should follow BG?
>>> Why should we? The whole embedded stuff is contrary to any security best practice.
>>
>> Essentially you are saying that Apple Pay and EMV doesn't work.
> 
> No, I’m saying the BG embedded SCA mode contradicts best security practice.

It can be as secure as the targeted payment scheme is.


> I’m not an expert in payments, but here is my take:
> 
> Apple Pay works differently as the credit card is tokenized and I assume Apple never sees the user’s credentials with the bank.

Correct.  This can be achieved with a suitable Embedded SCA scheme which then can offer a payment experience that is comparable to Apple Pay which is the explicit goal.

That's all.

Regards,
Anders

> 
> EMV at the POS is closer to the embedded mode as everything, including the PIN, goes through the terminal. Security is ensured by tight control over the participants - the whole approach is everything but open.
> 
> In online use cases, 3DS uses the break out to let the issuer ask the user for her credentials, which is more OAuth alike.
> 
> The world is a bit more complicated than black and white.
> 
>>
>> Regards,
>> Anders
>>
>>
>>
>