#1092: Web Authentication Immediate Mediation

Visit on Github.

Opened May 12, 2025

こんにちは TAG-さん!

I'm requesting a TAG review of a new mediation mode for getting WebAuthn assertion, immediate.

This mode does the following:

  • If there are discoverable WebAuthn credentials available immediately to the user agent, it shows them to the user for selection.
  • If there are no such credentials, throw NotAllowedError.

This differs from existing WebAuthn modal sign-in flows in that they always show UI, allowing users to attempt to use WebAuthn credentials from external authenticators or phones.

This differs from the existing WebAuthn conditional mediation flow in that conditional does not return an error if there are no available credentials. In that case the promise never resolves.

Further details:

Discussions

Log in to see TAG-private discussions.

Discussed Jun 2, 2025 (See Github)

Martin: I just don't see how we can do this. Johann mentioned the idea of proving you know the credential. There are cases where someone's reauthenticating, and you have cookies saying what they used last time. Want to use the cookie as a hook to get the proof. So there's no privacy risk, and you want to know immeidately. But it looks liek they're throwing out the privacy design, which isn't acceptable. The original privacy design existed for a good reason.

Jeffrey: I think that's enough for a comment. We wouldn't close it after that, but should ask them to address the problem.

Martin: They do have privacy considerations. They say the RP doesn't have a way to learn the credentials until someone goes through the whole process. ... They're thinking about requiring activation, but that's not enough.

Jeffrey: Draft a comment?

Martin: Sure.

Discussed Jun 16, 2025 (See Github)

Martin: Wrote this proposal two weeks back, would appreciate input: https://github.com/w3ctag/design-reviews-private-brainstorming/issues/152#issuecomment-2933339292

Marcos: Why did they ask us instead of handling it in the WG?

Martin: Maybe it's done there?

Jeffrey: PR is still open.

Martin: TAG review exists to get feedback.

Marcos: If it affects Credential Management might be worth reviewing?

Jeffrey: Martin's feedback was important, especially if the WG is done with this. I think Martin's comment is ready to post.

Comment by @martinthomson Jun 18, 2025 (See Github)

Does this address your concerns?

Not really. At least, not for me personally. Though the API doesn't get to name a credential, this is new information leakage. I realize that attempting to read this bit carries the risk of showing prompts that will be very annoying, but I don't see sufficient justification for this.

If this is for first-time visits to a page or visits from people without any associated identification, as you note, it would be better to have an explicit user choice to log in - engaging the existing flow - rather than have this pop, conditional on there being a credential.

It seems that the set of cases where a user is unknown to a site, but has a usable credential for that site, is a fairly narrow set of cases.

  • There is obviously the cross-site credentials in Related Origin Requests. Is that a primary use case? We haven't established a TAG position on this yet, but we have concerns about cross-site information flow, similar to those for Related Website Sets.
  • A user who has cleared cookies is another potential candidate. But this design allows for invisible confirmation of a non-recognition, which is undesirable.
  • What else did I miss?

Overall, the information leakage, both through the immediate failure and the API being disabled in private/incognito modes don't seem to be justified by these.

Discussed Jun 23, 2025 (See Github)

Tim: Problem it's solving is that if you don't have a local passkey, have a remote one, they click the passkey button, see a QR code, user bails out.

Martin: QR code is user-hostile. Why can't the devices sync their passkeys?

Tim: Lots of reasons not to sync to the device.

Martin: Scenario I'm seeing is not particularly compelling. Is there a way for the browser to not support this particular mode?

Tim: Don't have to support any of the conditional modes. Would be added to client capabilities.

Martin: FF would say "you have to go to the full login page to use this".

Tim: Modal flow is minimum bar, then autofill, then this. This is the number-1 problem we have.

Martin: If someone wanted to silently confirm that someone doesn't have a passkey, they'd risk showing the dialog. Which users wouldn't miss. Get the tradeoff.

Tim: In most cases it'll come from the platform and be very intrusive.

Martin: No major problems here. Biggest issue overall is about Related Origins. Greater clarity about which path. Need to talk to John, but there may be a path.

Marcos: Immediate still affects Credential Management, so needs to bounce through WebAppSec.

Tim: And that's L4, not L3.

Comment by @kenrb Jun 23, 2025 (See Github)

It sounds like the central question you are asking is whether the use case is genuinely compelling, since no level of information leakage is acceptable if it does not provide substantial user benefit.

However, the set of cases where this is relevant is considerably wider than what you list.

A significant factor that hasn't been noted is that passkeys sync across devices. So a credential created on one device should become automatically available on another device, browser implementation, and/or profile, as long as the user's passkey provider is available there.

For example, suppose a user creates an account on a website while browsing on their phone, and saves a passkey to the platform or a third-party password manager. Later, using a desktop computer, they navigate to the same site. The site does not have any information about who the user is, but when the user clicks a "Sign In" button on the page then this API enables the user agent to display the recently-created passkey.

We believe there is value in reducing the incidence of users encountering form-based sign-in pages on the web. They are often complex, offering multiple sign-in methods and putting the onus on the user to remember which one they need to use. This feature would provide a simple low-friction alternative for a user who has signalled their intent to sign in to the site.

The following situations are all cases where this feature would improve the user sign-in experience, because they require a site to have to offer all sign-in options:

  • The user is browsing from a new profile, browser, or device.
  • The user created an account on a different profile, browser, or device than they are currently using, and has not signed in on this one yet.
  • The user has not visited the site within the window for the site's cookie expiry time, and cookies have been deleted. Many websites set short cookie expirations, for a variety of reasons, including regulations in some instances.
  • The user has manually cleared cookies.
  • The user wants to sign in with a different account than they previously signed in with.

You are right that sites can use cookies to offer simplified re-authentication flows when those cookies are available, but form-based sign-in pages are still commonly encountered on the web. We have received positive feedback from developers who believe this will improve the sign-in flow for their users.

Discussed Jun 30, 2025 (See Github)

Martin: I don't think this is compelling, but I see why they do. It's about how we balance the objectives. Whether this delivers user value vs value to the websites. Not sure I agree this gives user value. Might be negative user value in some of the examples, like in cookie clearing. If it becomes trivial to reactivate a passkey after a cookie clearing, there are confirmation attacks.

Jeffrey: Think they still show the dialog.

Martin: If you've decided to clear cookies because you want the site to forget whether you've been there, then a 'no' on the dialog is distinguishable from the user never having been there. Not justified by the use case. They're trying to avoid showing people login forms.

Jeffrey: We can make the TAG position "don't think this is worth it", but we should also file that as an issue so it's a privacy consideration even if they go ahead against our advice.

Jeffrey: I want to double-check if I can be convinced that this is good, but right now I also don't see the case for this. Action Item for me.

Martin: This is the first time that the form is shown (in that context), so this isn't a recurring experience for people returning to sites to log in.

Comment by @jyasskin Jul 3, 2025 (See Github)

We discussed this proposal this week, and I was left with the task to figure out if I actively support the feature. To help with that, I had a question from me rather than the TAG as a whole:

  • Is there an illustration of the benefit of immediate mediation over conditional? I see a flow without conditional mediation and a flow with immediate mediation, but nothing showing how the conditional autofill flow within the [username] box compares. Maybe there's a problem that the user needs to click that field, which could be alleviated if we give sites an imperative way to show that autofill prompt? Maybe it's that the user needs to click in the autofill box before seeing the system selector, which could be fixed if conditional let the page mark that it ought to show the system selector right away?

Given that credentials.get({'password': true}) also rejects instantly if the user hasn't stored any passwords (https://www.w3.org/TR/credential-management-1/#security-timing), I think we don't need much benefit of immediate over conditional, but there ought to be some just to justify the increased platform complexity.

Comment by @martinthomson Jul 3, 2025 (See Github)

Password credentials are not cross-site (or cross-origin?) in the same way that this is, but using that as justification for this runs afoul of our principles: just because passwords are bad, that doesn't excuse passkeys when they add the same badness. That is, password credentials should not reveal whether a password exists after site state clears.

Comment by @martinthomson Jul 11, 2025 (See Github)

I'm aware of the related website capabilities for webauthn, which might affect this. But I was more concerned about the cross-context problem. If someone clears cookies, having this leak that this happened (because it doesn't reject immediately) is a privacy leak.

Discussed Jul 14, 2025 (See Github)

Ehsan: We're still discussing and have asked the people involved to clarify some things

Hadley: is it urgent?

Ehsan: It doesn't seem to be urgent since it seems like a small addition but I can double check with Jeffery and Martin

Hadley: It's concerning when one conversation is happening across issues, do we have links connecting the relevant issues so that we're aware of relation?

Ehsan: yes, in the project brainstorming

Hadley: Brilliant

Discussed Jul 21, 2025 (See Github)

Ehsan: There's no update from Martin's side yet, there is a lack of multi-stakeholder support, which I don't think is important though. Needs final say from Martin. Still waiting for them to review on our comment.

Lola: Think if there is no multi-stakeholder support, we need to call it out in our closing comment. This should be one of the concerns.

Matthew: As far as I'm aware, there's no negative expression of support.

Ehsan: Think Safari mentioned that they are supporting it, but that wasn't official, so it's uncertain. It's pointed out in the private brainstorming.

Comment by @jyasskin Jul 26, 2025 (See Github)

I'm adding back the 'pending' status (which autoremoves whenever a non-TAG person comments) to wait for an illustration of the benefit of immediate over what's possible with conditional. I think @yi-gu might also have had some ideas that the team wanted to work through.