SlideShare a Scribd company logo
FedCM Update
where we are and where we are
going
yigu@chromium.org cbiesinger@chromium.org BlinkOn 16
BlinkOn 16
Why Federated Credentials?
What is it?
Users sign-in to an RP (relying party) with an
IdP (Identity provider)
Why do we think it’s important?
- Ease of use
- passwordless
- Security
- resistance to phishing
- Trustworthiness
- per-site username and password
BlinkOn 16
The problem
By design, identity federation was built
on top of low-level primitives*.
By accident, the same primitives also
enable cross-site tracking.
Unfortunately, we can’t distinguish
tracking from federation.
* iframes, third party cookies, redirects
your@email.com
******
Sign Up
https://example1.com
John Doe
johndoe@email.com
Sign-in to example.com with IDP
Continue as John
forgot password
your@email.com
******
Sign Up
https://example2.com
John Doe
johndoe@email.com
Sign-in to example.com with IDP
Continue as John
forgot password
Browser RP IDP
The classification Problem
BlinkOn 16
How?
BlinkOn 16
How?
O(B)
Users
No behavioral changes
O(100s)
Identity Providers
Moderate change
O(10s)
Browsers
Heavy change
O(M)
Relying Parties
Backwards compatible
BlinkOn 16
Demo time!
BlinkOn 16
Demo time!
BlinkOn 16
How? The JavaScript API
var credential = navigator.credentials.get(
{provider: “https://idp.example/”, client_id: “123”}
);
{id_token} = credential.login();
// Also available:
credential.logout();
credential.revoke();
BlinkOn 16
How? The HTTP API
https://developer.chrome.com/blog/fedcm-origin-trial/
2023
2020 2021 2022
Here are 3 options
I2P
Oops, we have a
problem
Prototyping
Hello WICG, OIDF
Is this even a problem?
Would these even work?
This could work. How can I try?
Q1/2022
This works!
Origin Trials
Q2 /2022
Let’s see then.
2024
Fast Follows Phase out
Q3/2022
Ready
Q3/2023
Phasing out
Q4/2023
3PCD
Devtrials
I2E I2S
When?
MVP
Feature
Complete
Today
BlinkOn 16
Ecosystem Feedback
- Federated Identity Community Group
- Identity Providers
- Better understanding of the use cases (primitives by use cases)
- Firmer validation that front-channel logout is important to them
- Better understanding of the alternatives and trade-offs (alternatives considered)
- First Party Sets, CHIPS, Storage Access API, FedCM, CNAMES, Back channel logout, etc.
- Increasingly more concerned about bounce tracking mitigations longer term
- Browsers
- Edge: no institutional position yet. currently running the origin trial too.
- Safari: early institutional position: generally supportive, but still very early / shallow
- Firefox: no institutional position yet. informally, supportive of development, concerned about a few privacy
issues which we are working on together.
BlinkOn 16
The Timing Attack
- Tracker can learn about which website a user is visiting without user
permission by conducting the timing attack
BlinkOn 16
BlinkOn 16
BlinkOn 16
Proposal - pull accounts iff it’s necessary
- Site engagement score: users must have interacted with the provider origin in the past
- { provider: “https://idp.example/”, client_id: “123” }
- Aggregate metrics to penalize suspicious “providers”
- Click-through rate
- Invisible UI rate
- We want the timing attack to be economically impractical, not mathematically impossible
BlinkOn 16
What’s next: Multiple IDPs? Company logos are illustrative only
What’s next: Branding? Company logos are illustrative only
What’s next: Other Use Cases? Company logos are illustrative only
What’s next: previously inaccessible UX opportunities? Company logos are illustrative only
What’s next: Other IdP use cases
● Personalized button
● Early explorations
○ Access tokens
○ Refresh tokens (silent access)
○ DPoP API (proof of possession)
○ Non-email user identification (e.g. phone number)
○ Multiple iframes sharing one login prompt
Q & A

More Related Content

Similar to (Public) FedCM BlinkOn 16 fedcm and privacy sandbox apis

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
Julien Dereumaux
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
E-commerce Lab work
E-commerce Lab workE-commerce Lab work
E-commerce Lab work
Pragya Bisht
 
Gareth Young - Creating A Global Internet Anti-Piracy Strategy
Gareth Young - Creating A Global Internet Anti-Piracy StrategyGareth Young - Creating A Global Internet Anti-Piracy Strategy
Gareth Young - Creating A Global Internet Anti-Piracy Strategy
Eleonora Rosati
 
Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...
Online Brand Protection:Fighting Domain Name Typosquatting, Website Spoofing...Online Brand Protection:Fighting Domain Name Typosquatting, Website Spoofing...
Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...
WhoisXML API
 
Internal host-reputation-webinar
Internal host-reputation-webinarInternal host-reputation-webinar
Internal host-reputation-webinar
Lancope, Inc.
 
Meetup which approach to choose?
Meetup   which approach to choose?Meetup   which approach to choose?
Meetup which approach to choose?
Joe Mbaya
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
David Freeman
 
Bot how to find them 2014_27_03
Bot how to find them 2014_27_03Bot how to find them 2014_27_03
Bot how to find them 2014_27_03
IABmembership
 
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web SecurityBetter Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Distil Networks
 
Testing experience in web application P3 what should pay attention to
Testing experience in web application P3 what should pay attention toTesting experience in web application P3 what should pay attention to
Testing experience in web application P3 what should pay attention to
Vu Tran
 
Iab bots how to_find_them_webinar_2014_03_27
Iab bots how to_find_them_webinar_2014_03_27Iab bots how to_find_them_webinar_2014_03_27
Iab bots how to_find_them_webinar_2014_03_27
IABmembership
 
AUDIENCE - Things Brands Should Consider Before Going Programmatic
AUDIENCE - Things Brands Should Consider Before Going ProgrammaticAUDIENCE - Things Brands Should Consider Before Going Programmatic
AUDIENCE - Things Brands Should Consider Before Going Programmatic
Liam Boogar-Azoulay
 
Unit 8 e commerce
Unit 8 e commerceUnit 8 e commerce
Unit 8 e commerce
adamlawson
 
Unit 8 e commerce
Unit 8 e commerceUnit 8 e commerce
Unit 8 e commerce
adamlawson
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 
10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP Site10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP Site
FLBlogCon
 

Similar to (Public) FedCM BlinkOn 16 fedcm and privacy sandbox apis (20)

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
E-commerce Lab work
E-commerce Lab workE-commerce Lab work
E-commerce Lab work
 
Gareth Young - Creating A Global Internet Anti-Piracy Strategy
Gareth Young - Creating A Global Internet Anti-Piracy StrategyGareth Young - Creating A Global Internet Anti-Piracy Strategy
Gareth Young - Creating A Global Internet Anti-Piracy Strategy
 
Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...
Online Brand Protection:Fighting Domain Name Typosquatting, Website Spoofing...Online Brand Protection:Fighting Domain Name Typosquatting, Website Spoofing...
Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...
 
Internal host-reputation-webinar
Internal host-reputation-webinarInternal host-reputation-webinar
Internal host-reputation-webinar
 
Meetup which approach to choose?
Meetup   which approach to choose?Meetup   which approach to choose?
Meetup which approach to choose?
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
 
Bot how to find them 2014_27_03
Bot how to find them 2014_27_03Bot how to find them 2014_27_03
Bot how to find them 2014_27_03
 
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web SecurityBetter Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
 
Testing experience in web application P3 what should pay attention to
Testing experience in web application P3 what should pay attention toTesting experience in web application P3 what should pay attention to
Testing experience in web application P3 what should pay attention to
 
Iab bots how to_find_them_webinar_2014_03_27
Iab bots how to_find_them_webinar_2014_03_27Iab bots how to_find_them_webinar_2014_03_27
Iab bots how to_find_them_webinar_2014_03_27
 
AUDIENCE - Things Brands Should Consider Before Going Programmatic
AUDIENCE - Things Brands Should Consider Before Going ProgrammaticAUDIENCE - Things Brands Should Consider Before Going Programmatic
AUDIENCE - Things Brands Should Consider Before Going Programmatic
 
Unit 8 e commerce
Unit 8 e commerceUnit 8 e commerce
Unit 8 e commerce
 
Unit 8 e commerce
Unit 8 e commerceUnit 8 e commerce
Unit 8 e commerce
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP Site10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP Site
 

More from DivyanshGupta922023

DevOps The Buzzword - everything about devops
DevOps The Buzzword - everything about devopsDevOps The Buzzword - everything about devops
DevOps The Buzzword - everything about devops
DivyanshGupta922023
 
Git Basics walkthough to all basic concept and commands of git
Git Basics walkthough to all basic concept and commands of gitGit Basics walkthough to all basic concept and commands of git
Git Basics walkthough to all basic concept and commands of git
DivyanshGupta922023
 
jquery summit presentation for large scale javascript applications
jquery summit  presentation for large scale javascript applicationsjquery summit  presentation for large scale javascript applications
jquery summit presentation for large scale javascript applications
DivyanshGupta922023
 
Next.js - ReactPlayIO.pptx
Next.js - ReactPlayIO.pptxNext.js - ReactPlayIO.pptx
Next.js - ReactPlayIO.pptx
DivyanshGupta922023
 
Management+team.pptx
Management+team.pptxManagement+team.pptx
Management+team.pptx
DivyanshGupta922023
 
DHC Microbiome Presentation 4-23-19.pptx
DHC Microbiome Presentation 4-23-19.pptxDHC Microbiome Presentation 4-23-19.pptx
DHC Microbiome Presentation 4-23-19.pptx
DivyanshGupta922023
 
developer-burnout.pdf
developer-burnout.pdfdeveloper-burnout.pdf
developer-burnout.pdf
DivyanshGupta922023
 
AzureIntro.pptx
AzureIntro.pptxAzureIntro.pptx
AzureIntro.pptx
DivyanshGupta922023
 
api-driven-development.pdf
api-driven-development.pdfapi-driven-development.pdf
api-driven-development.pdf
DivyanshGupta922023
 
Internet of Things.pptx
Internet of Things.pptxInternet of Things.pptx
Internet of Things.pptx
DivyanshGupta922023
 
Functional JS+ ES6.pptx
Functional JS+ ES6.pptxFunctional JS+ ES6.pptx
Functional JS+ ES6.pptx
DivyanshGupta922023
 
AAAI19-Open.pptx
AAAI19-Open.pptxAAAI19-Open.pptx
AAAI19-Open.pptx
DivyanshGupta922023
 
10-security-concepts-lightning-talk 1of2.pptx
10-security-concepts-lightning-talk 1of2.pptx10-security-concepts-lightning-talk 1of2.pptx
10-security-concepts-lightning-talk 1of2.pptx
DivyanshGupta922023
 
Introduction to Directed Acyclic Graphs.pptx
Introduction to Directed Acyclic Graphs.pptxIntroduction to Directed Acyclic Graphs.pptx
Introduction to Directed Acyclic Graphs.pptx
DivyanshGupta922023
 
ReactJS presentation.pptx
ReactJS presentation.pptxReactJS presentation.pptx
ReactJS presentation.pptx
DivyanshGupta922023
 
01-React js Intro.pptx
01-React js Intro.pptx01-React js Intro.pptx
01-React js Intro.pptx
DivyanshGupta922023
 
Nextjs13.pptx
Nextjs13.pptxNextjs13.pptx
Nextjs13.pptx
DivyanshGupta922023
 

More from DivyanshGupta922023 (17)

DevOps The Buzzword - everything about devops
DevOps The Buzzword - everything about devopsDevOps The Buzzword - everything about devops
DevOps The Buzzword - everything about devops
 
Git Basics walkthough to all basic concept and commands of git
Git Basics walkthough to all basic concept and commands of gitGit Basics walkthough to all basic concept and commands of git
Git Basics walkthough to all basic concept and commands of git
 
jquery summit presentation for large scale javascript applications
jquery summit  presentation for large scale javascript applicationsjquery summit  presentation for large scale javascript applications
jquery summit presentation for large scale javascript applications
 
Next.js - ReactPlayIO.pptx
Next.js - ReactPlayIO.pptxNext.js - ReactPlayIO.pptx
Next.js - ReactPlayIO.pptx
 
Management+team.pptx
Management+team.pptxManagement+team.pptx
Management+team.pptx
 
DHC Microbiome Presentation 4-23-19.pptx
DHC Microbiome Presentation 4-23-19.pptxDHC Microbiome Presentation 4-23-19.pptx
DHC Microbiome Presentation 4-23-19.pptx
 
developer-burnout.pdf
developer-burnout.pdfdeveloper-burnout.pdf
developer-burnout.pdf
 
AzureIntro.pptx
AzureIntro.pptxAzureIntro.pptx
AzureIntro.pptx
 
api-driven-development.pdf
api-driven-development.pdfapi-driven-development.pdf
api-driven-development.pdf
 
Internet of Things.pptx
Internet of Things.pptxInternet of Things.pptx
Internet of Things.pptx
 
Functional JS+ ES6.pptx
Functional JS+ ES6.pptxFunctional JS+ ES6.pptx
Functional JS+ ES6.pptx
 
AAAI19-Open.pptx
AAAI19-Open.pptxAAAI19-Open.pptx
AAAI19-Open.pptx
 
10-security-concepts-lightning-talk 1of2.pptx
10-security-concepts-lightning-talk 1of2.pptx10-security-concepts-lightning-talk 1of2.pptx
10-security-concepts-lightning-talk 1of2.pptx
 
Introduction to Directed Acyclic Graphs.pptx
Introduction to Directed Acyclic Graphs.pptxIntroduction to Directed Acyclic Graphs.pptx
Introduction to Directed Acyclic Graphs.pptx
 
ReactJS presentation.pptx
ReactJS presentation.pptxReactJS presentation.pptx
ReactJS presentation.pptx
 
01-React js Intro.pptx
01-React js Intro.pptx01-React js Intro.pptx
01-React js Intro.pptx
 
Nextjs13.pptx
Nextjs13.pptxNextjs13.pptx
Nextjs13.pptx
 

Recently uploaded

2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
Yasser Mahgoub
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
ElakkiaU
 
Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...
Prakhyath Rai
 
Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...
bijceesjournal
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
MDSABBIROJJAMANPAYEL
 
Data Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptxData Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptx
ramrag33
 
Data Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason WebinarData Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason Webinar
UReason
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
insn4465
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
ydzowc
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
171ticu
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
abbyasa1014
 
Applications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdfApplications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdf
Atif Razi
 
Curve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods RegressionCurve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods Regression
Nada Hikmah
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
PKavitha10
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
co23btech11018
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
Mahmoud Morsy
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
IJECEIAES
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
bijceesjournal
 

Recently uploaded (20)

2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
 
Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...
 
Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
 
Data Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptxData Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptx
 
Data Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason WebinarData Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason Webinar
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
 
Applications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdfApplications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdf
 
Curve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods RegressionCurve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods Regression
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
 

(Public) FedCM BlinkOn 16 fedcm and privacy sandbox apis

  • 1. FedCM Update where we are and where we are going yigu@chromium.org cbiesinger@chromium.org BlinkOn 16
  • 2. BlinkOn 16 Why Federated Credentials? What is it? Users sign-in to an RP (relying party) with an IdP (Identity provider) Why do we think it’s important? - Ease of use - passwordless - Security - resistance to phishing - Trustworthiness - per-site username and password
  • 3. BlinkOn 16 The problem By design, identity federation was built on top of low-level primitives*. By accident, the same primitives also enable cross-site tracking. Unfortunately, we can’t distinguish tracking from federation. * iframes, third party cookies, redirects your@email.com ****** Sign Up https://example1.com John Doe johndoe@email.com Sign-in to example.com with IDP Continue as John forgot password your@email.com ****** Sign Up https://example2.com John Doe johndoe@email.com Sign-in to example.com with IDP Continue as John forgot password Browser RP IDP The classification Problem
  • 5. BlinkOn 16 How? O(B) Users No behavioral changes O(100s) Identity Providers Moderate change O(10s) Browsers Heavy change O(M) Relying Parties Backwards compatible
  • 8. BlinkOn 16 How? The JavaScript API var credential = navigator.credentials.get( {provider: “https://idp.example/”, client_id: “123”} ); {id_token} = credential.login(); // Also available: credential.logout(); credential.revoke();
  • 9. BlinkOn 16 How? The HTTP API https://developer.chrome.com/blog/fedcm-origin-trial/
  • 10. 2023 2020 2021 2022 Here are 3 options I2P Oops, we have a problem Prototyping Hello WICG, OIDF Is this even a problem? Would these even work? This could work. How can I try? Q1/2022 This works! Origin Trials Q2 /2022 Let’s see then. 2024 Fast Follows Phase out Q3/2022 Ready Q3/2023 Phasing out Q4/2023 3PCD Devtrials I2E I2S When? MVP Feature Complete Today
  • 11. BlinkOn 16 Ecosystem Feedback - Federated Identity Community Group - Identity Providers - Better understanding of the use cases (primitives by use cases) - Firmer validation that front-channel logout is important to them - Better understanding of the alternatives and trade-offs (alternatives considered) - First Party Sets, CHIPS, Storage Access API, FedCM, CNAMES, Back channel logout, etc. - Increasingly more concerned about bounce tracking mitigations longer term - Browsers - Edge: no institutional position yet. currently running the origin trial too. - Safari: early institutional position: generally supportive, but still very early / shallow - Firefox: no institutional position yet. informally, supportive of development, concerned about a few privacy issues which we are working on together.
  • 12. BlinkOn 16 The Timing Attack - Tracker can learn about which website a user is visiting without user permission by conducting the timing attack
  • 15. BlinkOn 16 Proposal - pull accounts iff it’s necessary - Site engagement score: users must have interacted with the provider origin in the past - { provider: “https://idp.example/”, client_id: “123” } - Aggregate metrics to penalize suspicious “providers” - Click-through rate - Invisible UI rate - We want the timing attack to be economically impractical, not mathematically impossible
  • 16. BlinkOn 16 What’s next: Multiple IDPs? Company logos are illustrative only
  • 17. What’s next: Branding? Company logos are illustrative only
  • 18. What’s next: Other Use Cases? Company logos are illustrative only
  • 19. What’s next: previously inaccessible UX opportunities? Company logos are illustrative only
  • 20. What’s next: Other IdP use cases ● Personalized button ● Early explorations ○ Access tokens ○ Refresh tokens (silent access) ○ DPoP API (proof of possession) ○ Non-email user identification (e.g. phone number) ○ Multiple iframes sharing one login prompt
  • 21. Q & A

Editor's Notes

  1. Note: pulling the changes towards the left is an OPTIMIZATION factor, not a HARD requirement. it is simply facilitating the deployment of FedCM, but if some things fall into RPs or Users it won't be a failure: it will just be harder.
  2. Christian talks for slides 6-8
  3. https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/#:~:text=finishing%20in%20late%202023 https://developer.chrome.com/blog/origin-trials/
  4. Christian talks for slides 14-17