Imagine a scenario where you let your friend use your computer and web browser. Then, your browser will attempt to autocomplete information when your friend fills out some online forms. Your information such as the email and username would show up in autofill without your permission.
While users can delete the autofill information before allowing others to use their browser, Microsoft says many users have expressed concern over this behaviour.
Users are also concerned about their accounts being accessed without their permission due to autofill behaviour. For example, if you have your credential for social media site saved in the browser and you sign out of your account and allow your friend to use the browser, autofill might still automatically inject or suggest your information
“This allows UserB to sign into UserA’s account with a single click. Additionally, UserB can trivially reveal the plaintext of the injected password,” Microsoft noted.
Previously, developers have proposed a master password as a solution to protect autofill information and Microsoft is also advocating for this concept with additional improvements.
Microsoft recommends updated autofill OS authentication hook that can be used to provide master password functionality for users who share their devices with friends and family.
This master password feature applies to all autofill information and not just passwords, which are already protected.
Microsoft also proposed ‘off by default, OS authentication hook’ in the Chromium autofill code path. In other words, Chromium autofill will use the existing Windows 10 authentication logic currently used for passwords manager and there’ll be a setting to configure how long a successful authentication should remain valid.
“This decision was made to ensure that users are not prompted for authentication until they indicate they want to access their saved credentials,” Microsoft noted.
According to the tech giant, this proposal lays the foundation for future improvements and Microsoft is currently targeting the model for shared device use cases only.