Security/Features/Credential Management API

Resources

• https://w3c.github.io/webappsec-credential-management
• https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API
• https://github.com/w3c/webappsec-credential-management
• https://www.chromestatus.com/feature/5026422640869376

Evaluation

(These do not necessarily represent the views of Mozilla as a whole)

Pros

• More secure login UI
  • Requires a Secure Context
    • This has issues with window.opener
  • Only if users notice the lack of this UI if they're getting phished
  • Unclear if it's more secure than us showing warnings on insecure login forms
• Local: Web page never gets access to the plaintext password.
  • Credentials can only be sent to the intended origin
• Allows cross-device automatic login without user mediation if the user chooses.
  • For a single device sites can already have long-lived cookies if they wanted.
  • This would allow clearing of cookies but still having a seamless login
  • This is most useful for multi-device scenarios since cookies aren't synced.
• Federated: Reduces the Nascar effect where sites have logos of many Federated auth. providers (even for IdPs the user doesn't use).
  • This would work cross-device whereas local storage solutions only worked locally
• Federated: The UA will remember (cross-device) which federated identity provider were used on a given site
• Provides an API for sites to tell the browser to save a specific credential
  • We will still have to use heuristics on those pages as we won't know if the save API is going to be used in the future
  • Sites that want their logins saved can already do this with <form> so it doesn't really give anything new. Sites that don't want their credentials saved will still not use this.
  • Sites may start relying on this and only have credentials saved in supporting browsers.
  • This could be abused by sites to overwrite saved credentials.

Cons

• Can make it harder for 3rd-party password managers to be involved
  • We should see if any 3rd-party password manager implements it
• Federated Credentials help keep you in the Google Ecosystem
• Doesn't remove the need for form heuristics in our password manager i.e. it only adds more complexity
• Doesn't help with account registration because it doesn't collect info like names and emails (unlike RequestAutocomplete). Those will remain potentially less secure with no trusted UI.
• Low adoption so far it seems: See https://www.chromestatus.com/metrics/feature/popularity#CredentialManagerGet
  • Should get devrel outreach to understand this