Can we cater for link-based logins, e.g. tap link in email => logged in

[johnwilander]

Both account recovery flows and so called password-less logins may use links with authentication tokens in them. A tap or click logs the user in as long as the token is valid. Could we formalize such links and usage of them to the point where it could be reliably detected as a login flow?

[jameshartig]

Should there be a prompt in cases where the login isn't coming from a Web Authentication? It can be as simple as website.com is trying to mark you as logged into username. This could be used to track your visits.. If the user allows it then it can be remembered in the future. If the user blocks it then setLoggedIn would reject.

[gffletch]

Are you suggesting that the browser prompt if it can not tell if the user as explicitly entered credentials via the browser itself (e.g. webauthn or a password manager)? Are there not other ways that the browser could determine the user explicitly requested a login? Possibly data exposed at the RP via a .well-known/FILE or metadata markup on the login button?

In addition, there are many out-of-band strong authentication mechanisms where the browser won't "see" the presentation of credentials. For example, I'm logging into a site using the browser on my laptop and the site uses ZenKey (strong authentication supported by all the major US mobile operators) so my phone buzzes, I approve the authentication, and I'm logged into the site. The browser never saw any part of the credentials presentation and yet the user login was a strong authentication. Other forms of authentication that do not involve the browser are Pushed Authentication and QR code scanning (I'm sure there are more I'm forgetting off the top of my head:)

[johnwilander]

This is about the distinction between browser mediated and non-mediated logins. If the browser has not detected a mediated login and the site calls navigator.setLoggedIn(), we're in the same situation as for "upgrade to IsLoggedIn" and the same menu of options applies: #18 (comment). However, if we could formalize link-based logins, we may be able to provide a simpler or more convenient way of setting IsLoggedIn. This issue is about finding that out.

[gffletch]

From a pure security perspective, link-based logins are less secure that push-to-phone-app (and many other authentications) so as users move to increase the security of their identities online, Identity Providers will move away from the linked-based logins. So it may help some but it's not a great solution from an identity perspective :)

[bc-pi]

It's not quite "link in email => logged in" but there are lots of cases where an employee has a portal page of sorts with links to applications (SaaS and/or internal apps) to which they have access. Taping/clicking such a link will result (after checking authentication) in a so-called IDP initiated single-sign on where some login token (typically but not always SAML) is delivered unsolicited to the application in conjunction with the user navigating there. Resulting in the user being seamlessly logged into the application.