Almost all modern browsers come with a feature that allows Chrome, Firefox, other browsers to remember your form entries. So, when a user opens the same website next time, your browser will help you to fill in your credentials with one-click.
However, the autofill form entries can be problematic in some scenarios. For instance, if you use a shared computer, your browser will autocomplete the details even you are not using it. In that case, the other person can easily access your personal accounts without your permission.
In addition, the autofill feature can turn out to be problematic in certain situations. There are thousands of phishing websites who often tend to steal user’s data including credit card information. According to Microsoft, there are thousands of people who have expressed their concerns over this unauthorized sharing.
Microsoft explains on GitHub “This allows UserB to sign into UserA’s account with a single click. Additionally, UserB can trivially reveal the plaintext of the injected password.”
Master Password (The Solution)
As a quick reminder, some engineers proposed a solution (master password) to resolve this issue. However, the Redmond giant dropped the idea due to some concerns:
“whether a master password feature that’s not backed by either per-credential or complete credential store encryption lures users into a false sense of security because local attackers are generally outside of the browser threat model.”
Now it seems like Microsoft has finally considered user feedback to address these concerns with some additional improvements. Those users who use shared PCs will use master password functionality with the help of an updated autofill OS authentication hook. Microsoft noted:
“This explainer proposes the addition of an off by default, OS reauthentication hook in the Chromium autofill code path. This will reuse the existing OS reauthentication logic used in Chromium’s password manager when previewing or exporting saved passwords and will add a content setting to configure how long a successful reauthentication should remain valid.”
Since passwords are already protected, Microsoft aims to roll out the master password feature for all autofill entries. Furthermore, the authentication logic that Windows 10 devices currently use to protect your passwords manager would be used to protect autofill entries in Chromium browsers.
With the implementation of this concept, the Big M plans to target shared Windows 10 devices. But Microsoft plans to extend the implementation to other scenarios for future improvements.