User and Developer Experience Feedback
General:
- Note the W3C's public analysis of the user experience issues with using custom URL schemes. https://github.com/WICG/identity-credential/blob/main/custom-schemes.md
- The proposals require multiple round HTTP "trips" (posts and redirects), which can be complex, fragile and even unfriendly to developers. A better alternative would be to use the platform provided APIs for wallet invocation and return of results. For example, exchanging an authorization code for an access token, and then for a credential presentation, makes sense when the authorization server and the service provider are separate entities, and when front-channel-vs-back-channel security issues must be considered, but it introduces unnecessary complexity for this use case, especially when using platform APIs.
**Option B - **UI Flow
- Wallet app identification
- The deep link to wallet app in screen #1 (closed) assumes that the RP is aware of the wallet app that is installed on the user's device - without support from the platform (which does not exist today) this would not be possible
- This UI is missing some use cases that need to be accounted for in the proposal:
- Multiple wallet apps
- Multiple valid IDs for the request of the RP
- No wallet installed on the user's device
- User experience
- Extra authentication
- The request for biometric authentication in screen #3 (closed) before any information about what is being asked might be confusing to users
- Furthermore, asking for that authentication in addition to, just a few steps later, asking for another authentication when unlocking the ID itself (on screen #7 (closed)) might create friction and feel redundant to users
- Tapping physical ID on device
- The proposed fallback for devices that cannot support an ID 'on-device' requires users to tap their physical card on the phone each time the card is to be used online (twice per the mocks shown).; We see this degraded user experience having a negative outcome:
- It may be a hindrance to adoption of these digital IDs (the friction will make users opt to forgo this path, and to perform the action as they do today)
- Because devices that have higher security hardware in place are also very likely to be more expensive, this approach supports a bias of poor user experience to users that can't afford or do not want to use higher-end devices
- The proposed fallback for devices that cannot support an ID 'on-device' requires users to tap their physical card on the phone each time the card is to be used online (twice per the mocks shown).; We see this degraded user experience having a negative outcome:
- Extra authentication
**Option C - **UI Flow
- [similar comments as described above; see comment in notes about option B about "Extra authentication"]
- User experience
- The RP would need to handle user's return to their app / website with a successful completion of the flow, which would be redundant with the proposed wallet redirect screen (#6 (closed)) showing the user successful completion of the steps
- Overall, this option C has a more streamlined flow than option B