<div dir="ltr"><div><div>The identifier doesn't have to be an email, though that does seem to be the most common form. A URL works too, so OpenID isn't excluded.<br><br></div>I'm not interested in getting Facebook to accept my Gmail login (that could be nice, though). They have the proper talent and expertise to safeguard my data (read: password). I want all the other smaller sites, such as Hacker News, or Feedly, or Evernote, to accept a JWT from `navigator.auth.get()`, instead of keeping a copy of my password in their database.<br><br></div>Also, I don't see Facebook needing to make a browser in order to be usable with `navigator.auth.get`. As the post mentions, the details of how are left up to each browser, but it should be possible for any browser to allow other accounts to be "logged in to the browser". I'd hope that eventually, Firefox will have me signed in as my Gmail, Twitter, Facebook, and Github accounts. Then, the picker that Firefox would show would ask which of these 4 I want to share to the target website.<br></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Jul 29, 2015 at 12:43 PM JR Conlin <<a href="mailto:jconlin@mozilla.com">jconlin@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>As a site grows, it becomes more and
more interested in owning and monetizing a given user. Taking a
slight twist on that, what a site cares most about is ensuring
that a given user is both unique and accountable. (e.g. they don't
care if you're "daniel" or some long string of crap. They'll ask
you for lots of personal info if they can't get it. "Accountable"
means that they can resolve you as a unique impression regardless
of device or location.)<br>
<br>
I know that sites tend to distrust third parties pretty much for
the same reasons that users do, they're unknown and usually
rivals. The interesting take on the browser generating the ID is
that (with one notable exception) the browser manufacturer isn't a
direct competitor. This might entice facebook into offering their
own browser, but that's a different issue.<br>
<br>
My experience is strictly anecdotal, but the sites I dealt with
generally found account management kind of a pain in the butt, to
the point where they'll use some crappy account registry library
with horribly broken-bits. (see <a href="http://youfailatemail.com" target="_blank">http://youfailatemail.com</a> for one
of my response domains). If <i></i>navigator.auth.get returns a
unique, accountable ID for a given user, there's a plug in for
Wordpress, phpbb and a few shopping portal packages, I think
you're probably golden.<br>
<br>
We're not going to get Facebook, Twitter, Amazon, or even Reddit
using this because they have too much invested in providing their
own login. You *might* get sites like Yahoo and news sites using
it. <br></div></div><div bgcolor="#FFFFFF" text="#000000"><div>
<br>
On 7/29/2015 11:58 AM, Daniel Coates wrote:<br>
</div></div><div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>This is great, Sean!<br>
<br>
</div>
You wrote:<br>
<br>
"A website could ask for credentials from the navigator, and
the browser can show its own trusted UI asking the user if
and which ID to share to the website."<br>
<br>
</div>
I'm curious about "which ID" specifically. I like Persona a
lot (obviously) but one of the things about it that I think
holds it back is that it requires sites to give up control
(and potentially availability) of the login process. So does
OpenID, et al.<br>
<br>
It seems to me like the practice of outsourcing logins to a
3rd party service has mostly gone out of style. The story
seems to go: "We're a startup, lets use Facebook for auth.
We're doing well, lets transition to our own auth but allow
signups with Facebook. Ok, lets get rid of Facebook." The more
successful the site, the more they care about owning the login
process because its a critical part of their business. Any
general solution to the login problem needs to respect this.
Fortunately, the user-agent is in a unique position to do
this. <br>
<br>
Is your vision of `navigator.auth.get` as sort of an API to an
enhanced password manager? - It handles the credentials,
picker, etc, and sync handles distribution. For signups maybe
we prefill with your sync profile data? I think that would be
a significant improvement to login page AutoFill. It doesn't
eliminate account / password growth, but it makes it less
painful, and it works with the web we already have.<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jul 29, 2015 at 9:26 AM, Sean
McArthur <span dir="ltr"><<a href="mailto:smcarthur@mozilla.com" target="_blank">smcarthur@mozilla.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I've been thinking again about how we can
stop using so many passwords across the web. Now that
pretty much every browser can be signed-in-to, we could
try to standardize a way of getting *that* account.
<div><br>
</div>
<div>Proposed:</div>
<div><br>
</div>
<div> navigator.auth.get() -> Promise<JWT></div>
<div><br>
</div>
<div>Larger article: <a href="http://seanmonstar.com/post/125352745992/whats-the-password" target="_blank">http://seanmonstar.com/post/125352745992/whats-the-password</a></div>
<div><br>
</div>
<div>I have a contact on the Microsoft Edge team that
largely agrees with the idea, and my next steps would be
to try to contact people on Chromium and WebKit and see
if this is something we could pursue.</div>
</div>
<br>
_______________________________________________<br>
Dev-fxacct mailing list<br>
<a href="mailto:Dev-fxacct@mozilla.org" target="_blank">Dev-fxacct@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/dev-fxacct" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Dev-fxacct mailing list
<a href="mailto:Dev-fxacct@mozilla.org" target="_blank">Dev-fxacct@mozilla.org</a>
<a href="https://mail.mozilla.org/listinfo/dev-fxacct" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Dev-fxacct mailing list<br>
<a href="mailto:Dev-fxacct@mozilla.org" target="_blank">Dev-fxacct@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/dev-fxacct" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/dev-fxacct</a><br>
</blockquote></div>