Standardized API for automated unattended credentials/passwords change/renewal

[dumblob]

Does anybody here know about any standard (or at least some example implementation to be followed if there is no standard) API between a service (e.g. some corporate CMS) and credential/secret/password managers (e.g. BitWarden client) allowing these managers to initiate credential change (independent from whether the user is currently logged in or not), make it happen (i.e. generate new credentials, submit them along with original credentials, etc.), and finally re-log in all existing sessions to maintain them without user noticing anything.

All that without any user intervention (but with a notification that e.g. some user sessions could not be maintained because the password manager could not reach them which usually means there is an attacker with a parallel opened session).

I've googled a bit and couldn't find anything. I'm really surprised because based on latest research user-facing credentials would need to be changed every 2 weeks to avoid biggest harm their disclosure could lead to. But at the same time it's impossible with a lot of manual work (users have tens or hundreds of accounts if they follow the advice use one or multiple unique credentials for each one service) which practically completely undermines this observation.

It needs to be automated similarly as is e.g. the reauthentication period in wifi WPA and many session-oriented secret communication protocols.

[RealOrangeOne]

There is no single API per-se, the managers which support it have written the functionality themselves AFAIK. There's a draft standard for exposing the URL to where a user would go to change their password, which is a step in that direction https://w3c.github.io/webappsec-change-password-url/.

It's worth noting that for this to be implemented, it'd need a lot of work with bitwarden upstream, rather than just here. A lot would have to fall in to place before there's anything vaultwarden can or should do about it.

[dumblob]

Well, actually I was looking for "what to implement in new services (not just web, but mainly them)" to support auto changing but I couldn't find anything. So I'm glad W3C is working on some small part of this whole idea. I'm surprised the W3C hopefully-soon-to-be-standard is very young (it seems to originate in 2018).

[fdisamuel]

An interesting opinion about the topic at Bitwarden community forum:
https://community.bitwarden.com/t/one-click-password-changer/14619/7

[dumblob]

Very interesting, thanks! I'd agree that Bitwarden's community is a huge advantage for this type of problem (though of course, Bitwarden would need to review any submissions which is a lot of work on its own - especially with such an extremely sensitive topic).

[dumblob]

Anyone any new info?

[bokkabonga]

The post in the bitwarden community forum doesn´t show any real news/progress on this, so i doubt that there is anything on the horizon. As already mentioned this is something to be implemented in the upstream project first.