A presentation at Hack on MDN in September 2018 in
London, UK by
Hidde de Vries
How to make password managers play ball with your login form
HIDDE DE VRIES 23.09.2018 #HackOnMDN, London
The IAM Project
The IAM Project access
identity - proving/verifying
who you are
access - allowing
you to see things when
you have been identified The IAM Project facilitates group curation: if you're in a group, you can see the things that group has access to.
Our users - Mozilla IAM is
used by staff as well
as by contributors
The “Lock” / NLX
Login with - Mozilla LDAP - Passwordless - GitHub - Google
The most secure passwords are long and unique. And therefore hard to remember
making it work (1): recognise the login screen
making it work (2): trigger the ‘Would you like to save this password’ prompt
making it work (3): have the password manager fill in the fields
Multi-page is hard (because hiding is hard)
Use web standards A form with
1.3.5 Identify input purpose
Autocomplete autocomplete="off" often ignored autocomplete="username" autocomplete="password"
The autocomplete attribute offers a declarative mechanism by which websites can work with user agents to improve the latter’s ability to detect and fill sign-in forms by marking specific fields as "username" or "password"
Multipage is hard Web standards autocomplete attr
This year I spent more time then I’m willing to admit on password manager compatibility for the Mozilla IAM login. I’d like to share some lessons learned.