Security/Features/Credential Management API
From MozillaWiki
Contents
Resources
- https://w3c.github.io/webappsec-credential-management
- https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API
- https://github.com/w3c/webappsec-credential-management
- https://www.chromestatus.com/feature/5026422640869376
Evaluation
(These do not necessarily represent the views of Mozilla as a whole)
Pros
- More secure login UI
- Requires a Secure Context
- This has issues with window.opener
- Only if users notice the lack of this UI if they're getting phished
- Unclear if it's more secure than us showing warnings on insecure login forms
- Requires a Secure Context
- Local: Web page never gets access to the plaintext password.
- Credentials can only be sent to the intended origin
- Allows cross-device automatic login without user mediation if the user chooses.
- For a single device sites can already have long-lived cookies if they wanted.
- This would allow clearing of cookies but still having a seamless login
- This is most useful for multi-device scenarios since cookies aren't synced.
- Federated: Reduces the Nascar effect where sites have logos of many Federated auth. providers (even for IdPs the user doesn't use).
- This would work cross-device whereas local storage solutions only worked locally
- Federated: The UA will remember (cross-device) which federated identity provider were used on a given site
- Provides an API for sites to tell the browser to save a specific credential
- We will still have to use heuristics on those pages as we won't know if the save API is going to be used in the future
- Sites that want their logins saved can already do this with <form> so it doesn't really give anything new. Sites that don't want their credentials saved will still not use this.
- Sites may start relying on this and only have credentials saved in supporting browsers.
- This could be abused by sites to overwrite saved credentials.
Cons
- Can make it harder for 3rd-party password managers to be involved
- We should see if any 3rd-party password manager implements it
- Federated Credentials help keep you in the Google Ecosystem
- Doesn't remove the need for form heuristics in our password manager i.e. it only adds more complexity
- Doesn't help with account registration because it doesn't collect info like names and emails (unlike RequestAutocomplete). Those will remain potentially less secure with no trusted UI.
- Low adoption so far it seems: See https://www.chromestatus.com/metrics/feature/popularity#CredentialManagerGet
- Should get devrel outreach to understand this