UserInterface is thightly coupled with password authentication #28365
Description
This is not an issue, but rather a forward-looking discussion about the user authentication topic.
Description
At the moment, the user interface is thighly coupled with an authentication based on a username/password pairs.
This not not a problem at all as 999‰ of the running applications use this authentication method.
However, with the coming Webauthn standard, passwords won’t be needed anymore. This standard allows user to associate an infinite number of security tokens that will mainly communicate through the USB, NFC, Bluetooth or an internal protocol.
Data that is supposed to be stored is credential IDs and associated cryptographic public keys instead of passwords and salts.
Therefore, the methods getPassword, getSalt and all the associated functionalities (e.g. password encoders) will become completely useless.
Possible Solution
This interface and the other classes that use/implement those methods may gradually evolve to take into account this new authentication scheme.
Methods could be renamed into getCredentials or another generic equivalent that is not specifically linked to a password.
In any cases, changes will undoubtedly affect several classes, associated logic (e.g. AbstractToken or SwitchUserListener) and the way application manage their user credentials.
Please, do not hesitate to participate and share here the way you imagine futur authentication architecture.