Browser rules for a 'proper' login flow

[surfnet-niels]

In the section on abuse prevention, https://github.com/privacycg/is-logged-in#defending-against-abuse, WebAuthN and passwords are mentioned as the primary authentication means.

However, many more ways currently exist to allow a user to authenticate, including e.g certificates, 2FA not being webAuthN, or for example something like Windows Integrated Authentication. For many of these login flows, the browser is agnostic. In the proposal however, it is described browsers should become aware of what a 'proper' login is using 'rules that the browser can check'.

This may raise some challenges:

• How many of such rules would any given browser have to know to support the multitude of (existing) authN methods?
• How eager will browser vendors be to implement and support a potentially unlimited set of 'proper' login flows?
• What would be an open, scalable yet also secure way to deal with this without becoming totally depended on the browser vendors? Will this need an (independent) body that evaluates and accreditates 'proper' login flows?
• How can a novel authN method/standard gain traction if it is not supported (yet) in any browser - this may become a chicken/egg problem.
• Or is it envisioned such login flows would need specific browser plugins each and every time? If so, does that not simply move the problem of abuse prevention?