PLhery
commented
3 years ago Hello Tim,
Thank you for this feedback!
We think the well-known for change-password is great and are using it to get the change password URL, but we think it's not achieving the same purpose as password-changer.
To automatically change a password from a logged out state, we also need to recognize:
- password generation rules (not yet handled in this draft)
- security challenges (captcha, 2FA/OTP codes, bot detection)
- detect success and error messages (for some websites, in any language)
- sometimes the change password URL shows a settings page and additional navigation is required to reach the form
We feel these four topics are out of the scope of the .well-known/change-password spec, that's why we're proposing this password-changer spec.
This is still an early draft, not yet well specified, so we're hoping to gather some feedback from the community. We're exploring different options and would be happy to discuss any suggestions you may have.
A possible alternative solution, which may ease adoption and improve even semi-manual change password flows, could be to tackle these issues independently, via html attributes for instance.
https://w3c.github.io/webappsec-change-password-url/
I think this will create fragmentation as there is an existing W3C draft that has seen some level of implementation. It might be better to propose changes in W3C than create another well-known endpoint.