navigator.auth.get

55 views
Skip to first unread message

Sean McArthur

unread,
Jul 29, 2015, 12:26:48 PM7/29/15
to dev-f...@mozilla.org, dev-id...@lists.mozilla.org
I've been thinking again about how we can stop using so many passwords
across the web. Now that pretty much every browser can be signed-in-to, we
could try to standardize a way of getting *that* account.

Proposed:

navigator.auth.get() -> Promise<JWT>

Larger article: http://seanmonstar.com/post/125352745992/whats-the-password

I have a contact on the Microsoft Edge team that largely agrees with the
idea, and my next steps would be to try to contact people on Chromium and
WebKit and see if this is something we could pursue.

Adam Renberg

unread,
Jul 29, 2015, 1:36:13 PM7/29/15
to Sean McArthur, dev-f...@mozilla.org, dev-id...@lists.mozilla.org
Very interesting.
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
>

Dick Hardt

unread,
Jul 29, 2015, 1:52:40 PM7/29/15
to Adam Renberg, dev-id...@lists.mozilla.org, dev-f...@mozilla.org, Sean McArthur
What are you thinking would be in the JWT?

Your JWT signing link shows how it would be signed, but how would the web
site get the key material to verify? Would the browser vendors all have a
public private key pair that they would be signing with?
--

Checkout my Desktop Container Computer on Kickstarter
<https://www.kickstarter.com/projects/dickhardt/dc2-desktop-container-computer-for-docker-containe>
!

Signup at http://HARDTWARE.com to be notified about my next Kickstarter, a
multi tool wrist / watch band

Francois Marier

unread,
Jul 29, 2015, 2:24:35 PM7/29/15
to
On 29/07/15 09:26 AM, Sean McArthur wrote:
> I've been thinking again about how we can stop using so many passwords
> across the web. Now that pretty much every browser can be signed-in-to, we
> could try to standardize a way of getting *that* account.

A (somewhat) related standardization effort is the Credential Management
spec in the W3C webappsec group:

https://w3c.github.io/webappsec/specs/credentialmanagement/

Francois

Eric Korb

unread,
Jul 29, 2015, 2:55:31 PM7/29/15
to
Also, this relates to the standardization effort for Credentials in W3C Credential Community Group http://opencreds.org/specs/source/identity-credentials/

Daniel Coates

unread,
Jul 29, 2015, 2:58:37 PM7/29/15
to Sean McArthur, dev-f...@mozilla.org, dev-id...@lists.mozilla.org
This is great, Sean!

You wrote:

"A website could ask for credentials from the navigator, and the browser
can show its own trusted UI asking the user if and which ID to share to the
website."

I'm curious about "which ID" specifically. I like Persona a lot (obviously)
but one of the things about it that I think holds it back is that it
requires sites to give up control (and potentially availability) of the
login process. So does OpenID, et al.

It seems to me like the practice of outsourcing logins to a 3rd party
service has mostly gone out of style. The story seems to go: "We're a
startup, lets use Facebook for auth. We're doing well, lets transition to
our own auth but allow signups with Facebook. Ok, lets get rid of
Facebook." The more successful the site, the more they care about owning
the login process because its a critical part of their business. Any
general solution to the login problem needs to respect this. Fortunately,
the user-agent is in a unique position to do this.

Is your vision of `navigator.auth.get` as sort of an API to an enhanced
password manager? - It handles the credentials, picker, etc, and sync
handles distribution. For signups maybe we prefill with your sync profile
data? I think that would be a significant improvement to login page
AutoFill. It doesn't eliminate account / password growth, but it makes it
less painful, and it works with the web we already have.

On Wed, Jul 29, 2015 at 9:26 AM, Sean McArthur <smca...@mozilla.com>
wrote:

> I've been thinking again about how we can stop using so many passwords
> across the web. Now that pretty much every browser can be signed-in-to, we
> could try to standardize a way of getting *that* account.
>
> Proposed:
>
> navigator.auth.get() -> Promise<JWT>
>
> Larger article:
> http://seanmonstar.com/post/125352745992/whats-the-password
>
> I have a contact on the Microsoft Edge team that largely agrees with the
> idea, and my next steps would be to try to contact people on Chromium and
> WebKit and see if this is something we could pursue.
>
> _______________________________________________
> Dev-fxacct mailing list
> Dev-f...@mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct
>
>

Sean McArthur

unread,
Jul 29, 2015, 3:02:52 PM7/29/15
to dev-id...@lists.mozilla.org, dev-f...@mozilla.org
Indeed, shortly after writing this (of course, not before!), I was pointed
at the Credential Management effort, which seems like the best place to
push to get something like this going.
On Wed, Jul 29, 2015 at 12:00 PM Eric Korb <eric...@accreditrust.com>
wrote:

Axel Nennker

unread,
Jul 29, 2015, 3:41:57 PM7/29/15
to Sean McArthur, dev-f...@mozilla.org, dev-id...@lists.mozilla.org
Some initial implementation of the W3c credential management standard
proposal is here https://github.com/AxelNennker/firefox_credentials/
How about integration of your proposal there?

Axel
Am 29.07.2015 21:02 schrieb "Sean McArthur" <smca...@mozilla.com>:

> Indeed, shortly after writing this (of course, not before!), I was pointed
> at the Credential Management effort, which seems like the best place to
> push to get something like this going.
> On Wed, Jul 29, 2015 at 12:00 PM Eric Korb <eric...@accreditrust.com>
> wrote:
>
>> _______________________________________________
>> dev-identity mailing list
>> dev-id...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-identity
>>
>

Gervase Markham

unread,
Jul 30, 2015, 9:31:19 AM7/30/15
to Daniel Coates, Sean McArthur, dev-f...@mozilla.org, dev-id...@lists.mozilla.org
On 29/07/15 19:58, Daniel Coates wrote:
> I'm curious about "which ID" specifically. I like Persona a lot (obviously)
> but one of the things about it that I think holds it back is

If we are riding that horse: the other thing is that if you use Facebook
login, you get to find out lots about your customers, which is massively
valuable.

Any login system which tries to oust Facebook et. al. needs to have,
both for competitiveness and usability, a way for the user to say "Yes,
tell this site my name / age / billing address - and, in fact, if I ever
update these things and revisit the site, notify it that they've changed
so I don't have to."

Gerv

Gervase Markham

unread,
Jul 30, 2015, 9:43:13 AM7/30/15
to Daniel Coates, Sean McArthur, dev-f...@mozilla.org, dev-id...@lists.mozilla.org
On 29/07/15 19:58, Daniel Coates wrote:
> I'm curious about "which ID" specifically. I like Persona a lot (obviously)
> but one of the things about it that I think holds it back is

Andrew Ducker

unread,
Jul 30, 2015, 9:58:48 AM7/30/15
to
I love the credential management spec.

If nothing else, it means that the browser password managers don't have to parse the HTML on the page and make educated guesses about password fields.

And the FederatedCredential flow would also be simple, except that instead of passing back a password it would pass back a certificate.

It's got an awful lot of potential.

Anyone know whether it's got any traction?

Andy
Reply all
Reply to author
Forward
0 new messages