Mediated vs Unmediated Logins

[johnwilander]

"Managed logins" is useful way of expressing that the browser was involved in the user just logging in.

Likewise, "Unmanaged logins" can codify all the cases where the browser is not involved and just get the signal from the website that the user is logged in.

We propose this spec uses the terms managed and unmanaged logins for this purpose.

[samuelweiler]

I like browser-managed.

[timcappalli]

Managed is a loaded term. I would +1 "Browser Mediated Login" from the call today.

[ajknox]

"Browser Mediated Login"
vs.
"Unmediated Login"

You could add other mediation channels to the terminology if it ever became germane -- I could imagine special discussion for out-of-band, 2fac, and PAKE.

[melanierichards]

Removed agenda+, seems like we have good consensus on "browser mediated login". Can raise for group review again when we make related edits to spec text.

[gffletch]

Please note that the browser can "mediate" a login flow without being directly involved in the presentation of credentials to the authentication endpoint. For me "mediate" means that the browser is directly involved in tracking/managing the login/sign-up flows regardless of how authentication happens. What about something like "Browser Mediated Credentials" as that is more specifically what we are describing (the browser is involved in presenting the authentication credentials; i.e. webauthn and/or password managers).

Then we can use "browser mediated login" to represent when the browser is involved in managing the login flow even if authentication is completely out of band (e.g. QR code scan, push notification, etc).

[samuelgoto]

FWIW, I've been using "mediated login" [1] in WebID, but I'd be happy to change and converge on terminology if you all arrive at something else.

[1] https://github.com/WICG/WebID/blob/main/navigations.md#the-mediation-oriented-variation