Forum Discussion
Autofill Blog #2: Password Security
The last blog post on Autofill in Microsoft Edge received several comments and inquiries from readers on Password Storage and Security. We understand this is a subject of great interest and concern t...
- Fill on Account Select (FoAS): This feature (available via edge://flags, see below) enables stored credentials from getting Autofill-ed into Username and Password fields. The way it works is that instead of injecting your stored username and password directly into a website, the browser now requires an additional confirmation from you before this data is passed onto the website. (How this differs from the Master Password feature described previously is that FoAS does not involve an additional re-authentication step.)
Please add re-authentication step here (at least ability to enable it in this case), just because all your arguments brokes when I press F12 and change input type from "password" to "text", what's the point to use window hello in "view saved passwords" when I can open the site and get the password with two clicks?
You need to implement master password (or use windows hello) when filling sensitive data, in other case it will be default non-secure non-usable browser autofill and everybody will use lastpass and other alternatives.
- Suhrid_Palsule
Microsoft
Hi saltukkos, thank you for your feedback! Responses below:
- Add re-authentication to FoAS: Yes, this is under consideration (as discussed in the blog post; see Master Password). However, FoAS is useful in it's own right as it defends against certain types of security attacks - read more here.
- Viewing passwords in the HTML: This is a known fact and not a vulnerability. When you offer a website your username and password – either by entering it in manually OR via autofill – the website now has access to these text entries as is evident by using F12 and seeing them in the website HTML.
Autofill functionality simply mimics the user action of manually entering the username/password text into the respective form fields and saves time and manual effort.
If an unauthorized person is viewing the password using Dev tools, this means that the device is no longer secure. As stated in the blog-post, such threats (classified as physically-local attacks) are outside the Security Threat Model of the Password Manager. - Why ask for authentication during the ‘View Saved Passwords’ user flow when they can been viewed in the site HTML: First, you will find that you cannot use the same F12 approach to make passwords visible in Settings. This is because at this point they’re still stored securely with the browser and not yet auto-filled into the website. So they can be made visible only the after due authentication. Once they’re auto-filled, however, this is as good as having been entered manually (as explained above) . And therefore being able to view them through Developer Tools is not a vulnerability and asking for authentication in the Settings View flow is appropriate from a security perspective.
- Master Password: As stated in the blog post, we are considering this. And yes, this will ensure that autofill only works after due authentication is provided.
- Non-secure, non-usable: Current browser, as explained above, is not non-secure or non-usable.
In closing, it might be helpful to look at a simplified version of the Password Manager security model from a user’s perspective (Note: This is a simplified version and does not cover all aspects of the feature😞
Password storage: Encrypted on disk
View password in Settings: Blinded by default, can’t be exposed via F12. Need OS authentication to make visible
Auto-fill into websites:
- Regular mode: auto-fill works without additional user input
- FoAS (available via flag): Requires user to choose account that she wants to autofill and prevents user from certain types of Phishing attacks
- Master Password: similar to FoAS but with an additional authentication check
Hope this helps!Does the data remain encrypted during sync over the web? Suhrid_Palsule
- Suhrid_Palsule
mikemuch Passwords stay encrypted during transit as well as in cloud storage.
- Add re-authentication to FoAS: Yes, this is under consideration (as discussed in the blog post; see Master Password). However, FoAS is useful in it's own right as it defends against certain types of security attacks - read more here.
