schemaorg icon indicating copy to clipboard operation
schemaorg copied to clipboard
verified publisher icon schemaorg

Representation of login/authentication type actions

Open rrlevering opened this issue 3 months ago • 5 comments

We're considering adding some sort of schema to represent communicating some basic authentication concepts about login flows and 2-factor authentication, and resetting passwords. This came up a bit back in issue #1149.

  • Login - representing that a link is used for logging in to a service/platform
  • Authenticate - either a) a link that is used to verify an authentication/login attempt or b) an OTP that can be used to verify an authentication/login attempt
  • Reset Password - representing the action to reset your password on a platform

The current thought is to use new Action subtypes. The proposal is to add LoginAction (which often includes authentication generally as a subaction), AuthenticateAction (which may or may not have to do with logging in), and ResetPasswordAction. They would all be subtypes of ControlAction.

Obviously you could get much more explicit here with the OTP object or more subtype-specific properties. I was trying to keep it lean for now and reuse instrument or target for the information on the types.

rrlevering avatar Sep 23 '25 02:09 rrlevering

Some general comments.

  • Authenticate should be defined as defining / validating one's identity, and probably have some identity field.
  • Login should be a subclass of Authenticate, you can't login without authentification.
  • ResetPassword should probably be called Reset Credentials.

MatthiasWiesmann avatar Oct 02 '25 08:10 MatthiasWiesmann

Disagree on most of your points (maybe credentials I'm ok with).

Not that I always use Wikipedia, but in this case I agree with the definition that login is the act of identifying and authenticating oneself. The identification is somewhat separate from the authentication. After I login, if I then go and initiate a risky transaction on my bank account, I'm again asked for authentication and they generally send me another OTP to authenticate the action. In this case, I'm already logged in but I'm being asked for continued authentication. The identity has already been established but authentication is being re-asserted. In an extreme case, I would argue you could login without authentication/credentials and that would still be a login, just a very insecure one.

I see Login as a meta-action which generally contains authentication as part of the overall process which generally results in you being given some token that holds your declared identity.

rrlevering avatar Oct 03 '25 01:10 rrlevering

Fair, but I really think these actions should be defined beyond tautology, i.e explain what the outcome is. You login and authentify some entity with some other entity and this yields a session (login) and some credentials (authentification).

MatthiasWiesmann avatar Oct 03 '25 12:10 MatthiasWiesmann

Hmmm...using inheritance in leiu of aggregation? Definitely not my go-to principle, but this is schema.org and not OWL so willing to consider it.

So LoginAction is a AuthenticateAction because it almost always performs authentication and therefore it potentially has all the data necessary for authentication? The argument would be that it might save some bits if you wanted to have a login with authentication holding the password stuff?

Do you have some practical examples in mind?

rrlevering avatar Oct 10 '25 21:10 rrlevering

I know it's a weak argument of sorts because it's more rare with online systems, but you could have a login without authentication - just a box that lets you select which account you wish to use. I do this at home on my PS5 for instance.

rrlevering avatar Oct 30 '25 14:10 rrlevering