FedCM promises seamless web authentication, but its centralized design leaves the decentralized social web behind. A new grant-funded initiative aims to bridge this gap by adapting FedCM for protocols like AT Protocol, ActivityPub, and Solid.
The future of web authentication may be shifting beneath our feet, and the open social web stands at a critical crossroads. While most users have grown accustomed to "Sign in with Google" or "Sign in with Facebook" buttons, a new standard called Federated Credential Management (FedCM) promises to make this experience even smoother—but with a catch that could leave decentralized platforms behind.
The Promise and Problem of FedCM
FedCM represents a significant evolution in how web authentication works. Rather than the current OAuth dance that bounces users between websites, FedCM allows browsers to mediate the entire authentication process. The browser remembers your logins and presents a list of available accounts without leaving the current page. An early implementation in Google Chrome demonstrates this seamless experience, where users simply ask the browser for credentials from a specific provider.
However, this elegant solution was designed with a fundamental assumption: that web applications have relationships with a known, limited set of authorization servers. This works perfectly for the centralized web, where a handful of identity providers dominate. But it breaks down completely for the open social web, where anyone can host their own authorization server and countless protocols coexist.
In the decentralized ecosystem—whether you're using AT Protocol, ActivityPub, Solid, or IndieAuth—the question isn't "Can I get credentials from Provider X?" but rather "Can I get credentials from any provider that supports Protocol Y?" This architectural mismatch means FedCM, despite its potential, currently offers no benefit to decentralized platforms.
Bridging the Gap Through Community Action
The challenge caught the attention of Emelia Smith, a veteran of decentralized identity systems who has contributed to ActivityPub, Solid, and IndieAuth. Recognizing that FedCM's centralized design left the open social web behind, Smith saw an opportunity to adapt the standard for decentralized use cases.
The path forward involves a proposal called Identity Provider Registration, currently in Stage 1 incubation within the FedID Community Group. This proposal would allow browsers to discover which providers support which protocols, enabling the decentralized use case. However, proposals from community groups need champions within the official working group to gain traction with browser implementers.
Funding the Decentralized Future
Understanding that meaningful change required dedicated advocacy, Smith approached Bluesky Social PBC about funding this work. The result is a $39,000 grant over 12 months that ensures Smith's independence while requiring liaison work across multiple decentralized communities.
The grant structure is deliberately designed to maintain neutrality. All technical contributions, positions, and votes within the FedID Working Group remain Smith's own, uninfluenced by Bluesky. This independence is crucial for building trust across the diverse decentralized ecosystem.
The Challenges Ahead
Early discussions within the working group have already surfaced significant concerns that need addressing:
- Silent Registration: The community pushed back against creating passkeys without user prompts, emphasizing the need for transparency in authentication flows.
- Revocation: How do users revoke credentials in a decentralized system where they might have accounts across dozens of providers?
- Abuse Prevention: Identity Provider Registration must prevent malicious actors from impersonating legitimate providers.
- The Chicken-and-Egg Problem: Authorization servers won't implement features without relying parties demanding them, but relying parties won't demand features that don't exist.
These challenges aren't insurmountable, but they require careful consideration and collaboration across the entire decentralized identity ecosystem.
What Success Looks Like
If successful, this initiative could transform how users interact with decentralized platforms. Imagine browsing a website that supports ActivityPub and being able to authenticate with any compatible server you already use—your Mastodon instance, your WordPress site with ActivityPub support, or any other provider—all through your browser's native interface.
The benefits extend beyond convenience. A standardized, browser-mediated authentication system could improve security by reducing phishing risks and providing consistent user experiences across platforms. It could also lower barriers to entry for new decentralized platforms by eliminating the need to build custom authentication systems.
The Road Ahead
The work is just beginning, with regular updates planned every two months to track progress. The next FedID Working Group meeting on March 10th, 2026, will be crucial for advancing these discussions and building consensus around the decentralized identity vision.
This initiative represents more than just technical standardization—it's about ensuring that the open social web can compete on equal footing with centralized platforms in terms of user experience. By adapting FedCM for decentralized use cases, the community has an opportunity to create a future where choosing a decentralized platform doesn't mean sacrificing convenience or security.
The success of this effort could determine whether the open social web remains a niche alternative or becomes a viable mainstream option. As authentication becomes increasingly central to how we interact with online services, getting this right isn't just a technical detail—it's fundamental to the future of decentralized digital communities.
The featured image for this article shows the main visual associated with the AT Protocol documentation, representing the technical foundation upon which much of this decentralized identity work is being built.
Comments
Please log in or register to join the discussion