Login Status API

From Bitnami MediaWiki
Jump to navigation Jump to search

Overview

Apple's Login Status API (previously IsLoggedIn API) is designed to inform the browser of whether a site is currently authorizing a user to access registration-only services, otherwise known as the login "state".[1]

Under the current proposal, the browser can become an active party between users and sites, disintermediating the relationship sites otherwise have with their users. "Why Do Browsers Need To Know? The current behavior of the web is “logged in by default,” meaning as soon as the browser loads a webpage, that page can store data such as cookies virtually forever on the device."[2]

Apple's proposal would "Require websites to take the user through a login flow according to rules that the browser can check. This would be the escape hatch for websites who can’t or don’t want to use WebAuthn or a password manager but still want to set the IsLoggedIn bit."

Impact

By making the browser an active party to controlling the login state, the browser will have new power to log users out based on browser-only determined rules. This may cause confusion and frustration on the part of the users, who prefer to remain logged in on sites they take the effort to log into until they choose to log out.

Moreover, one could foresee the browser trying to monopolize access to user authentication by handing back only state to a site, along the lines of Apple's "Hide My Email" offering. This would disintermediate sites not only from logged out visitors, but registered users and active subscribers.

Note: Neither Google nor Apple have made any commitment that either will rely only on Login Status API to manage its own relationships with consumers.

Regulator Perspectives

The UK CMA expressed concerns about Google's Conversion Measurement API that would also apply to this API:

  1. Disproportionately impairing only rivals' access to data
  2. Such impairment would exacerbate Google information advantage over rivals, further entrenching its dominance
  3. Google's proposed API was neither an adequate replacement to meet marketer and publisher needs nor address conflict of interest concerns, thus further distorting competition by removing choices from the marketplace.

The CMA noted "extensive reach of Google’s user-facing services and its ability to connect data with greater precision (because of its large base of users logged into their Google account) provide Google with a significant data advantage over others."[3]

Open Questions

  • Would consumers have the ability to opt-out of browser interference with their relationship with sites?
  • What rules would browsers impose between sites and their users?

References

  1. https://github.com/privacycg/is-logged-in
  2. https://github.com/privacycg/is-logged-in
  3. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/992975/Notice_of_intention_to_accept_binding_commitments_offered_by_Google_publication.pdf
Retrieved from "http://wiki.prebid.org/index.php?title=Login_Status_API&oldid=479"