A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Proposal| AutoCred - a specification for auto management credentials


We are in 2019, though SSO are here for a while, it isn’t as common as password. Though many protocols do exist for a smart login that needs almost zero user interaction, most user still authenticate with their password. With that said, there in the wild some solutions, which offer password management, such as LastPass and Dashlane. Most of the browsers, have a password- management features, such as auto-fill, and sync across devices. But there are some problems, which are inevitable, because there is no standard way to present the login page. Though most of the sites will probably present 2 text-boxes to fill, a user will have to navigate to the login page, and sometimes even correct its auto filler (if it is the browser or an external password management). The problem worsen where there is 3 fields authentication form. This is a horrible user experience. Features that are much complicate to implement, such auto password change are usually buggy, because the only way that the password manager will be able to auto replace password is to mimic a human user behavior, which usually fails. If you think about it, humans should not hassle themselves with strange strings. these things are for computers.

The suggestion

I suggest, that we should specify a generic API specification, which will allow any password manager, to communicate with the app regrading the credentials. My hope is that, when it will be fully implemented, whenever I try to access a site, my password manager, will just offer me to login, without login pages, and will auto switch my password etc, without my intervention.

I suggest it will be something like that: Any site that support AutoCred(that what I suggest to name it, it doesn’t really matter) will attach to any page that support auto credentials management a header which will redirect to a url endpoint which as a standard will support some of the following methods (will be served as HTTP-JSON based): Manifest- what is allowed of the generic API, and the supported version of AutoCred, and auth fields. Login- which will get as parameters all the auth fields, and return a result (if cookie changes will be made, it will also change the cookies state) Change- auto change auth fields. Delete- delete an account logout- cookie changes behavior as described in login.

Any methods that are related to credentials?


I think this is already covered by the Credential Management API: https://developers.google.com/web/fundamentals/security/credential-management/

Spec: https://www.w3.org/TR/credential-management-1/