Cross-site tracking on the Web has recently spurred a series of browser interventions to protect user’s privacy.
Unfortunately, the same low level primitives that are being tightened up are also the primitives that federated sign-in relies on, namely cookies, top level redirects and cross origin iframe communication (postMessage).
In many ways, identity federation has unquestionably played a central role in raising the bar for authentication on the web, in terms of ease-of-use (e.g. passwordless single sign-on), security (e.g. improved resistance to phishing and credential stuffing attacks) and trustworthiness compared to its preceding pattern: per-site usernames and passwords.
We think it is key to expose new privacy-oriented affordances that allows federation to be preserved and to do that as thoughtfully as we can in terms of deployment and backwards compatibility.
We don’t know yet what those look like, but we are starting to explore them here:
Any chance anyone else around here would be interested in collaborating and helping us figure this out? If you are interested, reply here and I’d be happy to move my repo into the WICG so that we can collaborate.