How to make password managers play ball with your login form

A presentation at Hack on MDN in September 2018 in London, UK by Hidde de Vries

Slide 1

Slide 1

How to make password managers play ball with your login form HIDDE DE VRIES 23.09.2018 #HackOnMDN, London

Slide 2

Slide 2

The IAM Project

Slide 3

Slide 3

identity The IAM Project access

Slide 4

Slide 4

identity - proving/verifying who you are

Slide 5

Slide 5

access - allowing you to see things when you have been identified The IAM Project facilitates group curation: if you're in a group, you can see the things that group has access to.

Slide 6

Slide 6

Our users - Mozilla IAM is used by staff as well as by contributors

  • people sometimes have various identities with differences in access rights
  • some people want to use specific identities on specific sites

Slide 7

Slide 7

The “Lock” / NLX

Slide 8

Slide 8

Slide 9

Slide 9

Login with - Mozilla LDAP - Passwordless - GitHub - Google

Slide 10

Slide 10

80+ sites

Slide 11

Slide 11

Password managers

Slide 12

Slide 12

The most secure passwords are long and unique. And therefore hard to remember

Slide 13

Slide 13

making it work (1): recognise the login screen

Slide 14

Slide 14

making it work (2): trigger the ‘Would you like to save this password’ prompt

Slide 15

Slide 15

making it work (3): have the password manager fill in the fields

Slide 16

Slide 16

Lessons learned

Slide 17

Slide 17

Multi-page is hard (because hiding is hard)

Slide 18

Slide 18

Use web standards A form with The right Labels action and input associated method types with inputs 1.3.5 Identify input purpose

Slide 19

Slide 19

Autocomplete autocomplete="off" often ignored autocomplete="username" autocomplete="password"

Slide 20

Slide 20

The autocomplete attribute offers a declarative mechanism by which websites can work with user agents to improve the latter’s ability to detect and fill sign-in forms by marking specific fields as "username" or "password"

Slide 21

Slide 21

Multipage is hard Web standards autocomplete attr