On Tue, Oct 21, 2014 at 8:28 PM, Doug Turner <do...@mozilla.com
>> I doubt that's what roc was suggesting. But it's hard to say more without
>> more details on the said overall strategy.
> I think this is an interesting idea and we should look into how much effort it is to add support for this usb security key.
> And, I think we can go a long way in fixing the password problem without having to depend on custom hardware. I'd like to see us invest in fixing/improving our built-in password manager and autofill in Firefox. Many 3rd party password managers have made huge strides in reducing the friction of creating unique high-entropy passwords without relaying on custom hardware. I use such a product and it is a game changer -- I don't know any of my password but the master password.
> So maybe before we write code to support a new token, we figure out what the Firefox plan around password management is?
The spec here could help a lot with improving the password/login situation.
It does a few things as currently drafted. One of which is to allow
websites to more explicitly interact with our password manager. It
currently only covers the case of getting a username+password to log
the user in, but the plan is to extend it to also cover the case of
generating a password to use for the website. With that we could
create very good integration with password managers like 1Password.
Another thing it does is to help with federated ID providers such as
facebook and firefox accounts.
What's really good about the spec though is that it solves the
chicken-and-egg problem that we've struggled with for a while. It
enables websites to do exactly what they are doing today but slowly
take advantage of features from the spec at whatever pace they see
fit. It also doesn't require federated ID providers to make any
changes in order work with the API.
The spec also provides a good first step towards getting the browser
more involved in the login flow. This could make it easier for us to
do things like add hardware tokens in the future.