How Should Identity Support in the browser look like?

Convener: Johannes Ernst

Tags: Active client, passive client, webfinger, UX

Discussion notes:

Whatever solution we come up with, must work in every browser. So if an active client is involved, there must be a passive client solution that is very similar.
Can we get the user login experience to nothing at all? Where the browser “knows” your membership at each web site and implicitly logs you in. Alternatively, we might define a per-site discovery mechanism by which the user agent can suggest to the user to “upgrade” their experience from “Yahoo” to “My Yahoo”, which if the user selects would log in the user (as automatically as possible given the discovered authentication mechanism).
E-commerce sites want to entice the user to buy before asking the user to log in.
We don’t think we can achieve pure uniformity of login experience across RPs and protocols. But perhaps we can achieve uniform initiation of the login ceremony, so that users can recognize how to begin to login, and so that active clients can automate it reliably.
Uniform-looking username/password prompts across sites encourages users to use the same username and password across sites, which is not desirable.
A user logging into a site for the first time may choose from several options:

Upon returning to a site, a user may choose any of the above options, or an additional one:

Log in with an alternate (permanent) identifier to begin a new persona at a site.

If we can get the login experience to be completely automatic, then logout must also be completely automatic (no persistent authentication cookies). Closing the browser must log the user out of all web sites implicitly.
Mozilla: Less than 2% of users using a password manager in a browser use a master password.
Classifications of our audience:

Navigation menu