Google to transfer developers to Federated Credential Management API in April for cookie-free user authentication

Continuing on its plan of phasing out third-party cookies from Chrome this year, Google has announced that in a couple of months it will be using the Federated Credential Management (FedCM) API as a cookie-free alternative to signing in using Google Identity Services (GIS).

GIS allows users to sign into apps or websites using their Google accounts, rather than having to create a new username and password for that site. 

GIS currently uses third-party cookies to sign users into websites using their Google Account.  FedCM allows users to still use their Google account to login, while doing so in a privacy preserving manner. 

According to the FedCM API documentation, it works by using a user agent as a mediator between the website that needs to be signed into (RP) and the website that provides the user’s information for sign-in (IDP). The user will need to grant permission before the RPs and IDPs are given the ability to know about their connection to that user. The way the user agent mediates between the two “makes it impractical for the API to be used for tracking purposes,” the documentation states. 

Beginning in April, GIS developers will be moved automatically to this new system. Developers will be migrated automatically, and for most developers, this will happen in the background and won’t impact user flows. The exception is websites with custom integrations, which will require minor changes to make it work. 

In Q3 of this year, Google plans to ramp-up restrictions on third-party cookies and will reach 100% of users by the end of Q4. In January, the company had started restricting cookies for 1% of users. 

“As the web has evolved there have been ongoing privacy-oriented changes (e.g Safari, Firefox, Chrome) and changes to the underlying privacy principles (e.g. Privacy Model),” the API documentation states. “With this evolution, fundamental assumptions of the web platform are being redefined or removed. Access to cookies in a third-party context are one of those assumptions. While overall good for the web, the third-party cookie deprecation removes a fundamental building block used by certain designs of federated identity. The Federated Credential Management API aims to bridge the gap for the federated identity designs which relied on third-party cookies.”