Credential Management

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

CMS software is used by governments and enterprises issuing strong two-factor authentication (2FA) to employees and citizens. The CMS integrates with the components of PKI to provide one joined-up solution for IT departments to issue and manage credentials to a wide selection of devices, including smart cards, USB keys, smartphones, laptops and desktop computers.

Credential Management is also a proposed application programming interface (API) under development by the World Wide Web Consortium for standardizing aspects of how password managers used by web user agents (web browsers and other applications) create, store, use, and modify username and password combinations for logins, in addition to the management of "federated" credentials (such as single sign-on tokens) by user agents. The API is being developed by the W3C's Web Application Security Working Group, and has been in Working Draft status since April 2016. It is a Recommendation-track proposal, expected to become an accepted standard, but may undergo significant changes before that occurs. The Credential Management API has already been extended by the WebAuthn (Web Authentication) proposal, which reached Candidate Recommendation status in April 2018 and adds the ability to handle public-key authentication.

It is common for modern web browsers to be able store and automatically enter usernames and passwords for website logins, though they have often used suboptimal heuristics for guessing which form fields and data are supposed to be filled/stored, resulting in inconsistent and sometimes faulty behavior. Browsers can also have trouble filling in login forms for federated identities, such as when a user connecting to a website uses an account for a third-party web service (like Facebook, Google, or Twitter) to authenticate and provide identity information. The Credential Management specification also aims to streamline the process of changing passwords so that the locally stored password on the client can be updated at the same time it is modified on the server.

Google Chrome has included some support for Credential Management since version 51, released in May 2016, and Opera has included support since version 44, released in April 2017. Mozilla Firefox includes a subset of the API to support WebAuthn since version 60, released in May 2018.

API
As of the August 2017 working draft, user agents supporting the Credential Management API must implement a "credential store" for persistent storage of credential objects, and should also include a "credential chooser" to allow users to interact with the objects and allow or deny their use for logins. Credentials will ideally have a name and favicon associated with them, perhaps along with other related information, to help distinguish which website or service they are used for, as well as the ability to differentiate credentials for multiple accounts on the same site.

The API defines four main JavaScript methods, which expose the  interface: ,  ,  , and. It also specifies the top-level  interface object, with descendant   and   object types. (WebAuthn also defines a  interface object.) The API is only available when a user agent is connected to a secure (HTTPS) website. Browsers can still implement auto-filling of login information on non-secure sites, but must not allow such sites to benefit from the automation that the API provides, since it could lead to accidental exposure of passwords or other credentials. In addition, API access is only allowed in top-level windows, and not within  elements or other nested browsing contexts.

The  method is used for constructing credential objects in memory, and   triggers writing an object to the credential store following a successful login. requests potentially relevant credentials from storage, which may be presented to the user in a credential chooser. When retrieval requests are made, user agents are required to prompt the user for authorization by default, though the user interface can allow a flag to be set that allows "silent" authorization without presenting a prompt. A website can reset that flag with the  method, recommended for use when logging out.