ACCOUNT CHOOSER to RE-charter

From IIW
Jump to: navigation, search
Account Chooser, the Re-Charter


Tuesday 2C

Convener: Pamela Dingle

Notes-taker(s): Pamela Dingle


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Rechartering presentation available at: http://openid.net/wordpress-content/uploads/2016/11/Account-Chooser-Rechartering.pdf


Questions:

How do you see this interacting with 2-factor authentication?

  • there are 2 levels — device locks like pin codes screen locks
  • or authentication services
  • Might be possible to store that information in the preference manager

Could an application bar password managers from being used? *Today the application can specify what the support, so that the account chooser knows what to render

Isn’t this just encouraging password manager proliferation, why not just federate?

  • The thought is that federation is not an easy lift for all, but embracing programmatic authentication could be an important first step that could move us in a direction that could move us towards more mainstream federated mechanisms

Will this just mean passwords are all over the place?

  • Storage of passwords is an implementation decision out of the control of the charter of this WG

What does the process flow for the credential save API lookalike?

  • There are concepts like tentative saves, etc that help with ephemeral password saving

Can you talk about how the isolation works between the password manager and mobile apps

  • Security aspects of the app talking to the password manager depend on the capabilities of the mobile operating system

How do you prevent XSS in the retrieval of credentials via the API?

  • This is going to get released as part of the WG work
  • Developer education is also an important mechanism

How is this different from the W3C credential management work?

  • The W3C effort just assumes that the browser is the password manager, this effort is focused on the mechanism for choosing a provider, as well as the API for interacting
  • Is there any assumption that the credential is local or cloud?
  • Doesn’t matter, it is an interaction between parties, how those parties store information is up to the party