#1092: Web Authentication Immediate Mediation

Visit on Github.

Opened May 12, 2025

こんにちは TAG-さん!

I'm requesting a TAG review of a new mediation mode for getting WebAuthn assertion, immediate.

This mode does the following:

  • If there are discoverable WebAuthn credentials available immediately to the user agent, it shows them to the user for selection.
  • If there are no such credentials, throw NotAllowedError.

This differs from existing WebAuthn modal sign-in flows in that they always show UI, allowing users to attempt to use WebAuthn credentials from external authenticators or phones.

This differs from the existing WebAuthn conditional mediation flow in that conditional does not return an error if there are no available credentials. In that case the promise never resolves.

Further details:

Discussions

Log in to see TAG-private discussions.

Discussed Jun 2, 2025 (See Github)

Martin: I just don't see how we can do this. Johann mentioned the idea of proving you know the credential. There are cases where someone's reauthenticating, and you have cookies saying what they used last time. Want to use the cookie as a hook to get the proof. So there's no privacy risk, and you want to know immeidately. But it looks liek they're throwing out the privacy design, which isn't acceptable. The original privacy design existed for a good reason.

Jeffrey: I think that's enough for a comment. We wouldn't close it after that, but should ask them to address the problem.

Martin: They do have privacy considerations. They say the RP doesn't have a way to learn the credentials until someone goes through the whole process. ... They're thinking about requiring activation, but that's not enough.

Jeffrey: Draft a comment?

Martin: Sure.

Discussed Jun 16, 2025 (See Github)

Martin: Wrote this proposal two weeks back, would appreciate input: https://github.com/w3ctag/design-reviews-private-brainstorming/issues/152#issuecomment-2933339292

Marcos: Why did they ask us instead of handling it in the WG?

Martin: Maybe it's done there?

Jeffrey: PR is still open.

Martin: TAG review exists to get feedback.

Marcos: If it affects Credential Management might be worth reviewing?

Jeffrey: Martin's feedback was important, especially if the WG is done with this. I think Martin's comment is ready to post.

Comment by @martinthomson Jun 18, 2025 (See Github)

Does this address your concerns?

Not really. At least, not for me personally. Though the API doesn't get to name a credential, this is new information leakage. I realize that attempting to read this bit carries the risk of showing prompts that will be very annoying, but I don't see sufficient justification for this.

If this is for first-time visits to a page or visits from people without any associated identification, as you note, it would be better to have an explicit user choice to log in - engaging the existing flow - rather than have this pop, conditional on there being a credential.

It seems that the set of cases where a user is unknown to a site, but has a usable credential for that site, is a fairly narrow set of cases.

  • There is obviously the cross-site credentials in Related Origin Requests. Is that a primary use case? We haven't established a TAG position on this yet, but we have concerns about cross-site information flow, similar to those for Related Website Sets.
  • A user who has cleared cookies is another potential candidate. But this design allows for invisible confirmation of a non-recognition, which is undesirable.
  • What else did I miss?

Overall, the information leakage, both through the immediate failure and the API being disabled in private/incognito modes don't seem to be justified by these.

Discussed Jun 23, 2025 (See Github)

Tim: Problem it's solving is that if you don't have a local passkey, have a remote one, they click the passkey button, see a QR code, user bails out.

Martin: QR code is user-hostile. Why can't the devices sync their passkeys?

Tim: Lots of reasons not to sync to the device.

Martin: Scenario I'm seeing is not particularly compelling. Is there a way for the browser to not support this particular mode?

Tim: Don't have to support any of the conditional modes. Would be added to client capabilities.

Martin: FF would say "you have to go to the full login page to use this".

Tim: Modal flow is minimum bar, then autofill, then this. This is the number-1 problem we have.

Martin: If someone wanted to silently confirm that someone doesn't have a passkey, they'd risk showing the dialog. Which users wouldn't miss. Get the tradeoff.

Tim: In most cases it'll come from the platform and be very intrusive.

Martin: No major problems here. Biggest issue overall is about Related Origins. Greater clarity about which path. Need to talk to John, but there may be a path.

Marcos: Immediate still affects Credential Management, so needs to bounce through WebAppSec.

Tim: And that's L4, not L3.

Comment by @kenrb Jun 23, 2025 (See Github)

It sounds like the central question you are asking is whether the use case is genuinely compelling, since no level of information leakage is acceptable if it does not provide substantial user benefit.

However, the set of cases where this is relevant is considerably wider than what you list.

A significant factor that hasn't been noted is that passkeys sync across devices. So a credential created on one device should become automatically available on another device, browser implementation, and/or profile, as long as the user's passkey provider is available there.

For example, suppose a user creates an account on a website while browsing on their phone, and saves a passkey to the platform or a third-party password manager. Later, using a desktop computer, they navigate to the same site. The site does not have any information about who the user is, but when the user clicks a "Sign In" button on the page then this API enables the user agent to display the recently-created passkey.

We believe there is value in reducing the incidence of users encountering form-based sign-in pages on the web. They are often complex, offering multiple sign-in methods and putting the onus on the user to remember which one they need to use. This feature would provide a simple low-friction alternative for a user who has signalled their intent to sign in to the site.

The following situations are all cases where this feature would improve the user sign-in experience, because they require a site to have to offer all sign-in options:

  • The user is browsing from a new profile, browser, or device.
  • The user created an account on a different profile, browser, or device than they are currently using, and has not signed in on this one yet.
  • The user has not visited the site within the window for the site's cookie expiry time, and cookies have been deleted. Many websites set short cookie expirations, for a variety of reasons, including regulations in some instances.
  • The user has manually cleared cookies.
  • The user wants to sign in with a different account than they previously signed in with.

You are right that sites can use cookies to offer simplified re-authentication flows when those cookies are available, but form-based sign-in pages are still commonly encountered on the web. We have received positive feedback from developers who believe this will improve the sign-in flow for their users.