How to prevent bad-faith login claims?

[hober]

We really need to at least sketch out a possible approach.

[othermaciej]

To expand on this a bit: If being logged in gives a site extra storage powers, then clearly they'll be incentivized to say the user is logged in as much as possible. We can try to link permission to call this API to browser-observable login actions (such as using WebAuthN, or user autofilling a password field, followed by some sort of submission of that form) but it might be tricky to prevent evasion.

[johnwilander]

This has now been ported to the W3C repo. Please continue the discussion there.