[whatwg] RFC: <input type="username">

Boris Zbarsky bzbarsky at MIT.EDU
Tue May 4 20:21:17 PDT 2010


On 5/4/10 10:56 PM, Dirk Pranke wrote:
> What I would like to offer is a way to control some amount of the sign-in/sign-out
> experience while improving the security, by at least giving an in-page
> way to trigger sign-in / sign-out (the actual mechanism of collecting
> the credentials and performing the sign-in would be done by the
> browser without page intervention, where possible, for security
> reasons).

So this would be something pages opt into?

If not, how would the following sign-in workflows (taken from two 
banking sites I've dealt with recently) work:

Workflow 1:

1)  Site prompts user for only a username.
2)  After user enters a username, site responds with a "Hello,
     __firstname__" (with either the first name corresponding to the
     username filled in or a random one generated if there's no such
     account) and two security questions.
3)  After the user correctly answers the two security questions, he is
     presented with a previously-agreed-on image and phrase (to convince
     the user that the bank is in fact the bank) and 9 clickable buttons
     numbered 0-9.
4a) If the user has a mouse, the user clicks the buttons in the right
     order to enter their PIN (I believe a 7-digit or more number).
     Else go to 4b.
4b) If the user cannot use the mouse for some reason, the user can
     follow a link which associates each of the 10 buttons with one
     of a randomly chosen (each time you hit this screen, as far as
     I can see) set of 10 letters.  The user can then type the
     letters that correspond to the desired numbers.

Workflow 2:

1)  Site prompts user for only a username.
2)  After user enters a username, site responds with a page that has a
     password field and a bunch of buttons in the general shape of a
     qwerty keyboard.
3)  The user enters a password in the password field.
4)  The user also enters a different password (the site enforces
     that they're different during account setup) by clicking the
     correct buttons on the "virtual keyboard".

Various other banking sites I've dealt with have the 
"previously-agree-on image and phrase" thing going on, but these two are 
the ones that are creative with password input.  In particular, the goal 
seems to be to defeat keyloggers by making replay of logged keystrokes 
be insufficient to log into the site.

-Boris



More information about the whatwg mailing list