-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mediated vs Unmediated Logins #17
Comments
I like browser-managed. |
Managed is a loaded term. I would +1 "Browser Mediated Login" from the call today. |
"Browser Mediated Login" You could add other mediation channels to the terminology if it ever became germane -- I could imagine special discussion for out-of-band, 2fac, and PAKE. |
Removed agenda+, seems like we have good consensus on "browser mediated login". Can raise for group review again when we make related edits to spec text. |
Please note that the browser can "mediate" a login flow without being directly involved in the presentation of credentials to the authentication endpoint. For me "mediate" means that the browser is directly involved in tracking/managing the login/sign-up flows regardless of how authentication happens. What about something like "Browser Mediated Credentials" as that is more specifically what we are describing (the browser is involved in presenting the authentication credentials; i.e. webauthn and/or password managers). Then we can use "browser mediated login" to represent when the browser is involved in managing the login flow even if authentication is completely out of band (e.g. QR code scan, push notification, etc). |
FWIW, I've been using "mediated login" [1] in WebID, but I'd be happy to change and converge on terminology if you all arrive at something else. [1] https://github.com/WICG/WebID/blob/main/navigations.md#the-mediation-oriented-variation |
"Managed logins" is useful way of expressing that the browser was involved in the user just logging in.
Likewise, "Unmanaged logins" can codify all the cases where the browser is not involved and just get the signal from the website that the user is logged in.
We propose this spec uses the terms managed and unmanaged logins for this purpose.
The text was updated successfully, but these errors were encountered: