Intent to Prototype: Web Authentication immediate mediation

57 views
Skip to first unread message

Ken Buchanan

unread,
Mar 24, 2025, 1:24:06 PMMar 24
to blink-dev, Adem Derinel, Martin Kreichgauer

Contact emails

ke...@chromium.orgder...@google.com

Explainer

https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation

Specification

None

Summary

A mediation mode for navigator.credentials.get() that causes browser sign-in UI to be displayed to the user if there is a passkey or password for the site that is immediately known to the browser, or else rejects the promise with NotFoundError if there is no such credential available. This allows the site to avoid showing a sign-in page if the browser can offer a choice of sign-in credentials that are likely to succeed, while still allowing a traditional sign-in page flow for cases where there are no such credentials.



Blink component

Blink>WebAuthentication

Motivation

Most sign-in experiences on the web are through sign-in pages that offer multiple options for accessing an account, such as username/password input fields, federated sign-in buttons, and sometimes explicit WebAuthn or passkey buttons. In cases where the browser is aware of passkeys or passwords that the user has for the site, this API feature would make the sign-in page unnecessary, by instead showing simple browser account selection UI when the user begins a sign-in attempt. Signing in with this flow would have less friction, and avoid user confusion from having to remember which sign-in option they have used previously on a given site.


The main difference between this and existing modal WebAuthn sign-in UI is that for users without any such credentials, no browser UI will be shown, and their sign-in experience will be unchanged from what it is today (typically, a navigation to the site's sign-in page).



Initial public proposal

https://github.com/w3c/webauthn/issues/2228

TAG review

None

TAG review status

Pending

Risks



Interoperability and Compatibility

None



Gecko: No signal

WebKit: No signal

Web developers: No signal

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

No

Flag name on about://flags

None

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

True

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5164322780872704?gate=5189713352458240

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages