Intent to Experiment: Web Authentication immediate mediation

98 views
Skip to first unread message

Ken Buchanan

unread,
Jun 25, 2025, 8:45:51 AMJun 25
to blink-dev

Contact emails

ke...@chromium.orgder...@google.com

Explainer

https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation

Specification

https://github.com/w3c/webauthn/pull/2291

Design docs


https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation

Summary

A mediation mode for navigator.credentials.get() that causes browser sign-in UI to be displayed to the user if there is a passkey or password for the site that is immediately known to the browser, or else rejects the promise with NotAllowedError if there is no such credential available. This allows the site to avoid showing a sign-in page if the browser can offer a choice of sign-in credentials that are likely to succeed, while still allowing a traditional sign-in page flow for cases where there are no such credentials.



Blink component

Blink>WebAuthentication

TAG review

https://github.com/w3ctag/design-reviews/issues/1092

TAG review status

Pending

Origin Trial documentation link

https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation

Risks



Interoperability and Compatibility

This is a discussion topic in the Web Authentication Working Group. Representatives from other browser vendors are involved in this discussion but there are no official signals of support yet. The ability to use `PasswordCredential` with this mediation mode is a particular compatibility risk because that credential type is not currently implemented Firefox or Safari.



Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1239)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/504) Interest expressed verbally in a WebAuthn WG F2F.

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Goals for experimentation

Validate performance of new UI for sign-in flows.

Ongoing technical constraints

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

WPTs in progress

DevTrial instructions

https://docs.google.com/document/d/18iV5eUBM4NVoNx0gqPSxPyJAjPdrfIR75vcMDBewzZU/edit?tab=t.0#heading=h.uj0x12ysuohk

Flag name on about://flags

experimental-web-platform-features

Finch feature name

WebAuthenticationImmediateGet

Requires code in //chrome?

True

Tracking bug

https://issues.chromium.org/issues/408002783

Launch bug

https://launch.corp.google.com/launch/4394539

Estimated milestones

Origin trial desktop first139
Origin trial desktop last141
DevTrial on desktop136
DevTrial on Android139


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5164322780872704?gate=5144500902821888

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALjHGKrQEs4TDzuzb%3D0B00S4OmkE4a1NbZGi19sCueTKvN_m9w%40mail.gmail.com
Ready for Trial: https://groups.google.com/a/chromium.org/g/blink-dev/c/zC13ioLIZ_E/m/P-P6B6gNCQAJ


This intent message was generated by Chrome Platform Status.

Chris Harrelson

unread,
Jun 25, 2025, 11:23:44 AMJun 25
to Ken Buchanan, blink-dev
LGTM

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALjHGKpJkA9G6De6D4%3DRNSbLMRdy8Yfa6B%3DgDNWeqTyHfv8sSg%40mail.gmail.com.

Tim Cappalli

unread,
Jun 25, 2025, 1:18:26 PMJun 25
to Chris Harrelson, Ken Buchanan, Tim Cappalli, blink-dev
> Web developers: No signals

We (Okta) are very excited for this feature/capability to help with some of the UX issues and user frustrations that come with the (long) transition from traditional credentials to passkeys.

Tim

Reply all
Reply to author
Forward
0 new messages