Intent to Ship: Web Authentication Conditional Create (Automatic Passkey Upgrades)
43 views
Skip to first unread message
Chromestatus
Jan 15, 2026, 3:57:24 PM (yesterday) Jan 15
to blin...@chromium.org, mart...@google.com
Contact emails
mart...@google.comSpecification
https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional:~:text=For%20create
Summary
WebAuthn Conditional Create allows websites to automatically create passkeys for existing users that have a matching password saved in their password manager.
Blink component
Blink>WebAuthenticationWeb Feature ID
No information provided
Motivation
WebAuthn Conditional Create requests let a website (aka a Relying Party or RP) create a passkey without prominent modal mediation, if the user has previously consented to credential creation.
The motivating use case is commonly referred to as "passkey upgrades". I.e., if the browser/credential manager already stores an existing password credential for the same website/relying party and user, conditional create allows the the website automatically create a matching passkey.
An explainer with more information is hosted in the W3C WebAuthn wiki: https://github.com/w3c/webauthn/wiki/Explainer:-Conditional-Registration-Extension
Initial public proposal
No information providedTAG review
No information provided
TAG review status
Issues addressed
Risks
Interoperability and Compatibility
WebKit already shipped this feature ahead of Blink, so this launch is positive for interoperability.
Gecko: No signal
WebKit: Shipped/Shipping (https://developer.apple.com/documentation/safari-release-notes/safari-18-release-notes#Authentication:~:text=Implemented%20conditional%20credential%20creation.%20)
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No information providedDebuggability
No information provided
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Blink implements this feature on all platforms. On Android, requests are forwarded to the native Credential Manager API, where supporting password managers need to implement it separately.
Is this feature fully tested by web-platform-tests?
Yes
https://wpt.fyi/results/webauthn/conditional-mediation.https.html?label=experimental&label=master&aligned
Flag name on about://flags
No information provided
Finch feature name
No information provided
Non-finch justification
No information providedRollout plan
Will ship enabled for all usersRequires code in //chrome?
FalseTracking bug
https://crbug.com/377758786Launch bug
https://launch.corp.google.com/launch/4373425Estimated milestones
| Shipping on desktop | 136 |
| Shipping on Android | 142 |
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
No information providedLink to entry on the Chrome Platform Status
https://chromestatus.com/feature/5135710007590912?gate=5163515357429760Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67329059.2b0a0220.26ec07.069d.GAE%40google.comReady for Trial: https://groups.google.com/a/chromium.org/g/blink-dev/c/XFJmqtQpMds/m/ipPKSS5ECQAJ
This intent message was generated by
Chrome Platform Status.
Martin Kreichgauer
Jan 15, 2026, 3:59:04 PM (yesterday) Jan 15
to Chromestatus, blin...@chromium.org
Hello API Owners,
This feature was launched on Desktop in Chrome 136 and Android in 142, and we unfortunately forgot to request Intent to Ship approvals. I just realized this mistake while we were cleaning up old feature flags, my apologies. Are there any concerns or could we please have retroactive LGTMs?
For context, this was an additional feature to WebAuthn that had an already existing spec and an implementation in WebKit. Several large Relying Parties have adopted it already.
Thanks,
Martin Kreichgauer
This feature was launched on Desktop in Chrome 136 and Android in 142, and we unfortunately forgot to request Intent to Ship approvals. I just realized this mistake while we were cleaning up old feature flags, my apologies. Are there any concerns or could we please have retroactive LGTMs?
For context, this was an additional feature to WebAuthn that had an already existing spec and an implementation in WebKit. Several large Relying Parties have adopted it already.
Thanks,
Martin Kreichgauer
Rick Byers
11:53 AM (10 hours ago) 11:53 AM
to Martin Kreichgauer, Chromestatus, blin...@chromium.org
Thanks for acknowledging the mistake and sending this retroactively Martin. No concerns with the intent from me, LGTM1.
Sorry we didn't have any way in our 'webexposed' tests to double-check for approvals for this sort of new feature (JSON-schema only change to the argument of a web-exposed API). I don't see any reliable and low-friction check we could add for cases like this, so I think we should just chalk this up as a known limitation of our heuristics. Mistakes like this do happen occasionally but IMHO they are extremely rare so not something I think we need to take special action on.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB%3DfcEZ%3DRM9VMS_8eWedDh4ADOFq%3DF-imw5oTpTcW4YvvtR66w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages