3

I'm trying to come up with a list of built-in mechanisms that either automatically send authentication information or automatically prompt the user to provide them in browsers.

So far I have

  1. Cookies - sends cookies based on domain / expiration etc

  2. 401 WWW-Authenticate: Negotiate (SPNEGO/GSS-API) - for whitelisted domains (needs browsers configuration) usually for Kerberos / NTLM

  3. Client certificate

  4. FIDO U2F (in supported browsers) - requires users to perform an action when prompted for a challenge

  5. WebAuthn (still in development, similar to the above)

  6. And obviously also Basic authentication (401 WWW-Authenticate: Basic)

Are there any other mechanisms to add to the above? (I'm excluding SAML/OIDC/OAuth as they don't have any native support or special treatment as far as I know)

Eran Medan
  • 811
  • 1
  • 10
  • 19
  • What browsers are you asking about? Or what web standards? – forest Jul 14 '19 at 07:21
  • @forest I'd say any browser that shows on https://caniuse.com/ or https://developer.mozilla.org/en-US/ and any standard that has an RFC that has some meaningful traction that has a chance it will be implemented by any of these browsers. I know this question may change over time, but I'm trying to track what native support for authentication browsers have. There is a draft for an RFC for SASL for HTTP but it's not there yet to be on the list IMHO. – Eran Medan Jul 16 '19 at 22:54

0 Answers0