<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Heh, yeah, we violently agree. <br>
<br>
My note about Facebook contemplating being a browser maker was
more along the idea that they would be a navigator.auth.get
provider, which would tie users back to their revenue
engine^W^Wcustomer base, similar to how Chrome works. Possibly
they may argue that there be the ability for users to elect a
"Trusted Auth Provider" so that users can specify Facebook as
their provider of choice. Not terribly sure I'd agree to that, but
I get their stand.<br>
<br>
On 7/29/2015 2:04 PM, Sean McArthur wrote:<br>
</div>
<blockquote
cite="mid:CAHrH6bOmzmnLFJHttOTXYa5Dx10=aqmGqLnbv-ufT8x=D2PCJQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>The identifier doesn't have to be an email, though that
does seem to be the most common form. A URL works too, so
OpenID isn't excluded.<br>
<br>
</div>
I'm not interested in getting Facebook to accept my Gmail
login (that could be nice, though). They have the proper
talent and expertise to safeguard my data (read: password). I
want all the other smaller sites, such as Hacker News, or
Feedly, or Evernote, to accept a JWT from
`navigator.auth.get()`, instead of keeping a copy of my
password in their database.<br>
<br>
</div>
Also, I don't see Facebook needing to make a browser in order to
be usable with `navigator.auth.get`. As the post mentions, the
details of how are left up to each browser, but it should be
possible for any browser to allow other accounts to be "logged
in to the browser". I'd hope that eventually, Firefox will have
me signed in as my Gmail, Twitter, Facebook, and Github
accounts. Then, the picker that Firefox would show would ask
which of these 4 I want to share to the target website.<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Jul 29, 2015 at 12:43 PM JR Conlin <<a
moz-do-not-send="true" href="mailto:jconlin@mozilla.com"><a class="moz-txt-link-abbreviated" href="mailto:jconlin@mozilla.com">jconlin@mozilla.com</a></a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>As a site grows, it becomes more and more interested in
owning and monetizing a given user. Taking a slight twist
on that, what a site cares most about is ensuring that a
given user is both unique and accountable. (e.g. they
don't care if you're "daniel" or some long string of crap.
They'll ask you for lots of personal info if they can't
get it. "Accountable" means that they can resolve you as a
unique impression regardless of device or location.)<br>
<br>
I know that sites tend to distrust third parties pretty
much for the same reasons that users do, they're unknown
and usually rivals. The interesting take on the browser
generating the ID is that (with one notable exception) the
browser manufacturer isn't a direct competitor. This might
entice facebook into offering their own browser, but
that's a different issue.<br>
<br>
My experience is strictly anecdotal, but the sites I dealt
with generally found account management kind of a pain in
the butt, to the point where they'll use some crappy
account registry library with horribly broken-bits. (see <a
moz-do-not-send="true" href="http://youfailatemail.com"
target="_blank"><a class="moz-txt-link-freetext" href="http://youfailatemail.com">http://youfailatemail.com</a></a> for one of
my response domains). If navigator.auth.get returns a
unique, accountable ID for a given user, there's a plug in
for Wordpress, phpbb and a few shopping portal packages, I
think you're probably golden.<br>
<br>
We're not going to get Facebook, Twitter, Amazon, or even
Reddit using this because they have too much invested in
providing their own login. You *might* get sites like
Yahoo and news sites using it. <br>
</div>
</div>
<div bgcolor="#FFFFFF" text="#000000">
<div> <br>
On 7/29/2015 11:58 AM, Daniel Coates wrote:<br>
</div>
</div>
<div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>This is great, Sean!<br>
<br>
</div>
You wrote:<br>
<br>
"A website could ask for credentials from the
navigator, and the browser can show its own trusted
UI asking the user if and which ID to share to the
website."<br>
<br>
</div>
I'm curious about "which ID" specifically. I like
Persona a lot (obviously) but one of the things about
it that I think holds it back is that it requires
sites to give up control (and potentially
availability) of the login process. So does OpenID, et
al.<br>
<br>
It seems to me like the practice of outsourcing logins
to a 3rd party service has mostly gone out of style.
The story seems to go: "We're a startup, lets use
Facebook for auth. We're doing well, lets transition
to our own auth but allow signups with Facebook. Ok,
lets get rid of Facebook." The more successful the
site, the more they care about owning the login
process because its a critical part of their business.
Any general solution to the login problem needs to
respect this. Fortunately, the user-agent is in a
unique position to do this. <br>
<br>
Is your vision of `navigator.auth.get` as sort of an
API to an enhanced password manager? - It handles the
credentials, picker, etc, and sync handles
distribution. For signups maybe we prefill with your
sync profile data? I think that would be a significant
improvement to login page AutoFill. It doesn't
eliminate account / password growth, but it makes it
less painful, and it works with the web we already
have.<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jul 29, 2015 at 9:26
AM, Sean McArthur <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:smcarthur@mozilla.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:smcarthur@mozilla.com">smcarthur@mozilla.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I've been thinking again about how we
can stop using so many passwords across the web.
Now that pretty much every browser can be
signed-in-to, we could try to standardize a way of
getting *that* account.
<div><br>
</div>
<div>Proposed:</div>
<div><br>
</div>
<div> navigator.auth.get() ->
Promise<JWT></div>
<div><br>
</div>
<div>Larger article: <a moz-do-not-send="true"
href="http://seanmonstar.com/post/125352745992/whats-the-password"
target="_blank">http://seanmonstar.com/post/125352745992/whats-the-password</a></div>
<div><br>
</div>
<div>I have a contact on the Microsoft Edge team
that largely agrees with the idea, and my next
steps would be to try to contact people on
Chromium and WebKit and see if this is something
we could pursue.</div>
</div>
<br>
_______________________________________________<br>
Dev-fxacct mailing list<br>
<a moz-do-not-send="true"
href="mailto:Dev-fxacct@mozilla.org"
target="_blank">Dev-fxacct@mozilla.org</a><br>
<a moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/dev-fxacct"
rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Dev-fxacct mailing list
<a moz-do-not-send="true" href="mailto:Dev-fxacct@mozilla.org" target="_blank">Dev-fxacct@mozilla.org</a>
<a moz-do-not-send="true" href="https://mail.mozilla.org/listinfo/dev-fxacct" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Dev-fxacct mailing list<br>
<a moz-do-not-send="true" href="mailto:Dev-fxacct@mozilla.org"
target="_blank">Dev-fxacct@mozilla.org</a><br>
<a moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/dev-fxacct"
rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>