Building a better login
with the credential management API
James Allardice
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3584641/orangejellyfish-square.png)
Evolution of login
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680459/Screenshot_2017-04-07_07.51.50.png)
Username/password forms
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680462/Screenshot_2017-04-07_07.54.39.png)
Stored credentials
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680465/Screenshot_2017-04-07_07.56.47.png)
Autofill
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680471/Screenshot_2017-04-07_08.01.23.png)
You can sync passwords across devices.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680478/Screenshot_2017-04-07_08.10.05.png)
Federated identity providers
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/4381485/Screen_Shot_2017-11-28_at_08.45.18.png)
The Credential
Management API
WD
CR
PR
REC
Working
draft
Candidate
recommendation
Proposed
recommendation
Recommendation
WD
CR
PR
REC
Working
draft
Candidate
recommendation
Proposed
recommendation
Recommendation
Credential Management API
(as of November 2017)
Browser support
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3984029/Screen_Shot_2017-07-13_at_07.52.47.png)
- Help the user authenticate by providing access to credentials
- Help the browser store credentials provided by the user
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3677793/Screenshot_2017-04-06_16.00.13.png)
Assertion about an entity which enables a trust decision
Demo!
Demo!
Demo!
Demo!
autocomplete="username"
autocomplete="current-password"
autocomplete="new-password"
const formData = new FormData(loginForm);
fetch('/', {
method: 'POST',
headers: {
Accept: 'application/json',
},
credentials: 'include',
body: formData,
})
.then((response) => response.json())
.then((json) => { /* ... */ });
const credential = new PasswordCredential(form);
navigator.credentials
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/4387452/Screenshot_2017-11-29_12.22.35.png)
navigator.credentials.store(credentials)
.then(() => { /* ... */ });
// Ask the browser for the stored password credential.
navigator.credentials.get({
password: true,
})
.then((credentials) => {
const formData = new FormData();
formData.append(credential.idName, credential.id);
formData.append(credential.passwordName, credential.password);
// Make request with `formData`
});
// Prevent automatic logins for the rest of the session.
navigator.credentials.preventSilentAccess();
Supporting old Chrome
Security
- Page must be served from a secure origin (HTTPS)
- Credentials for other origins not available
- Stored passwords are encrypted
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3590631/Screenshot_2017-03-14_21.42.47.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3590679/DB_Browser_for_SQLite_-__Users_jallardice_dev_scratch_chrome-db.png)
- Federated credentials?
- Offline support?
- Multi-factor authentication?
What next?
Thank you!
James Allardice
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3584641/orangejellyfish-square.png)
Building a better login (Bristol JS Nov 2017)
By James Allardice
Building a better login (Bristol JS Nov 2017)
- 860