ACCOUNT CHOOSER to RE-charter
- Account Chooser, the Re-Charter
- Tuesday 2C
Convener: Pamela Dingle
Notes-taker(s): Pamela Dingle
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Rechartering presentation available at: http://openid.net/wordpress-content/uploads/2016/11/Account-Chooser-Rechartering.pdf
How do you see this interacting with 2-factor authentication?
- there are 2 levels — device locks like pin codes screen locks
- or authentication services
- Might be possible to store that information in the preference manager
Could an application bar password managers from being used? *Today the application can specify what the support, so that the account chooser knows what to render
Isn’t this just encouraging password manager proliferation, why not just federate?
- The thought is that federation is not an easy lift for all, but embracing programmatic authentication could be an important first step that could move us in a direction that could move us towards more mainstream federated mechanisms
Will this just mean passwords are all over the place?
- Storage of passwords is an implementation decision out of the control of the charter of this WG
What does the process flow for the credential save API lookalike?
- There are concepts like tentative saves, etc that help with ephemeral password saving
Can you talk about how the isolation works between the password manager and mobile apps
- Security aspects of the app talking to the password manager depend on the capabilities of the mobile operating system
How do you prevent XSS in the retrieval of credentials via the API?
- This is going to get released as part of the WG work
- Developer education is also an important mechanism
How is this different from the W3C credential management work?
- The W3C effort just assumes that the browser is the password manager, this effort is focused on the mechanism for choosing a provider, as well as the API for interacting
- Is there any assumption that the credential is local or cloud?
- Doesn’t matter, it is an interaction between parties, how those parties store information is up to the party