HOME

TheInfoList



Click Here for Items Related To - Credential Management
OR:
Credential Management on:   [Wikipedia]   [Google]   [Amazon]

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI). CMS software is used by governments and enterprises issuing strong two-factor authentication (2FA) to employees and citizens. The CMS integrates with the components of PKI to provide one joined-up solution for IT departments to issue and manage credentials to a wide selection of devices, including smart cards, USB keys, smartphones, laptops and desktop computers. Credential Management is also a proposed application programming interface (API) under development by the
World Wide Web Consortium The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working t ...
for standardizing aspects of how
password manager A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...
s used by web
user agent In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content". A user agent is therefore a special kind of software agent. Some prominent examples of u ...
s (
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
s and other applications) create, store, use, and modify username and password combinations for logins, in addition to the management of " federated" credentials (such as
single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...
tokens) by user agents. The API is being developed by the W3C's Web Application Security Working Group, and has been in Working Draft status since April 2016. It is a Recommendation-track proposal, expected to become an accepted standard, but may undergo significant changes before that occurs. The Credential Management API has already been extended by the
WebAuthn Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interfac ...
(Web Authentication) proposal, which reached Candidate Recommendation status in April 2018 and adds the ability to handle public-key authentication. It is common for modern web browsers to be able store and automatically enter usernames and passwords for website logins, though they have often used suboptimal
heuristic A heuristic (; ), or heuristic technique, is any approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediat ...
s for guessing which
form Form is the shape, visual appearance, or configuration of an object. In a wider sense, the form is the way something happens. Form also refers to: * Form (document), a document (printed or electronic) with spaces in which to write or enter dat ...
fields and data are supposed to be filled/stored, resulting in inconsistent and sometimes faulty behavior. Browsers can also have trouble filling in login forms for federated identities, such as when a user connecting to a website uses an account for a third-party web service (like
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin ...
,
Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...
, or
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
) to authenticate and provide identity information. The Credential Management specification also aims to streamline the process of changing passwords so that the locally stored password on the client can be updated at the same time it is modified on the server.
Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macO ...
has included some support for Credential Management since version 51, released in May 2016, and
Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libre ...
has included support since version 44, released in April 2017.
Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current a ...
includes a subset of the API to support WebAuthn since version 60, released in May 2018.


API

As of the August 2017 working draft, user agents supporting the Credential Management API must implement a "credential store" for persistent storage of credential objects, and should also include a "credential chooser" to allow users to interact with the objects and allow or deny their use for logins. Credentials will ideally have a name and
favicon A favicon (; short for favorite icon), also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. A web designer can creat ...
associated with them, perhaps along with other related information, to help distinguish which website or service they are used for, as well as the ability to differentiate credentials for multiple accounts on the same site. The API defines four main
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...
methods, which expose the CredentialsContainer interface: navigator.credentials.create(), navigator.credentials.store(), navigator.credentials.get(), and navigator.credentials.preventSilentAccess(). It also specifies the top-level Credential interface object, with descendant PasswordCredential and FederatedCredential object types. (WebAuthn also defines a PublicKeyCredential interface object.) The API is only available when a user agent is connected to a secure (
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is e ...
) website. Browsers can still implement auto-filling of login information on non-secure sites, but must not allow such sites to benefit from the automation that the API provides, since it could lead to accidental exposure of passwords or other credentials. In addition, API access is only allowed in top-level windows, and not within <iframe> elements or other nested browsing contexts. The navigator.credentials.create() method is used for constructing credential objects in memory, and store() triggers writing an object to the credential store following a successful login. get() requests potentially relevant credentials from storage, which may be presented to the user in a credential chooser. When retrieval requests are made, user agents are required to prompt the user for authorization by default, though the user interface can allow a flag to be set that allows "silent" authorization without presenting a prompt. A website can reset that flag with the preventSilentAccess() method, recommended for use when logging out.


See also

*
OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provide ...


References

{{reflist


External links


Credential Management Level 1

W3C Web Application Security Working Group
World Wide Web Consortium standards Internet security