How to make password managers play ball with your login form

How to make password managers play ball with your login form HIDDE DE VRIES 23.09.2018 #HackOnMDN, London

The IAM Project

identity The IAM Project access

identity - proving/verifying who you are

access - allowing you to see things when you have been identified The IAM Project facilitates group curation: if you're in a group, you can see the things that group has access to.

Our users - Mozilla IAM is used by staff as well as by contributors

• people sometimes have various identities with differences in access rights
• some people want to use specific identities on specific sites

The “Lock” / NLX

Login with - Mozilla LDAP - Passwordless - GitHub - Google

80+ sites

Password managers

The most secure passwords are long and unique. And therefore hard to remember

making it work (1): recognise the login screen

making it work (2): trigger the ‘Would you like to save this password’ prompt

making it work (3): have the password manager fill in the fields

Lessons learned

Multi-page is hard (because hiding is hard)

Use web standards A form with The right Labels action and input associated method types with inputs 1.3.5 Identify input purpose

Autocomplete autocomplete="off" often ignored autocomplete="username" autocomplete="password"

The autocomplete attribute offers a declarative mechanism by which websites can work with user agents to improve the latter’s ability to detect and fill sign-in forms by marking specific fields as "username" or "password"

Multipage is hard Web standards autocomplete attr