How to make password managers play ball with your login form
A presentation at Hack on MDN in in London, UK by Hidde de Vries
How to make password managers play ball with your login form HIDDE DE VRIES 23.09.2018 #HackOnMDN, London
The IAM Project
identity The IAM Project access
identity - proving/verifying who you are
access - allowing you to see things when you have been identified The IAM Project facilitates group curation: if you're in a group, you can see the things that group has access to.
Our users - Mozilla IAM is used by staff as well as by contributors
- people sometimes have various identities with differences in access rights
- some people want to use specific identities on specific sites
The “Lock” / NLX
Login with - Mozilla LDAP - Passwordless - GitHub - Google
80+ sites
Password managers
The most secure passwords are long and unique. And therefore hard to remember
making it work (1): recognise the login screen
making it work (2): trigger the ‘Would you like to save this password’ prompt
making it work (3): have the password manager fill in the fields
Lessons learned
Multi-page is hard (because hiding is hard)
Use web standards A form with The right Labels action and input associated method types with inputs 1.3.5 Identify input purpose
Autocomplete autocomplete="off" often ignored autocomplete="username" autocomplete="password"
The autocomplete attribute offers a declarative mechanism by which websites can work with user agents to improve the latter’s ability to detect and fill sign-in forms by marking specific fields as "username" or "password"
Multipage is hard Web standards autocomplete attr
This year I spent more time then I’m willing to admit on password manager compatibility for the Mozilla IAM login. I’d like to share some lessons learned.
