Intent to Ship: Web Authentication Conditional UI

Skip to first unread message

Nina Satragno

Sep 19, 2022, 5:25:43 PM9/19/22

Contact emails,,



Design docs


A new mode for WebAuthn that displays a credential selection UI only if the user has a discoverable credential registered with the Relying Party on their platform authenticator. The credential is displayed in autofill UI alongside username and password suggestions for sign-in fields. This solves the bootstrapping problem when replacing traditional username and password flows with WebAuthn: websites can fire a WebAuthn call while showing a regular password prompt without worrying about showing a modal dialog error if the device lacks appropriate credentials.

Websites must opt-in to the feature by triggering a conditional mediation WebAuthn request on a sign-in page.

Blink component


Search tags

webauthn, conditional ui, conditional mediation, web authentication

TAG review

TAG review status



Interoperability and Compatibility

Very low: this is a new feature that's already implemented by Safari on their Technology Preview.

Gecko: No signal

WebKit: Shipped/Shipping in beta ( See around 16:20

Web developers: No signals

Other signals:

WebView application risks

WebAuthn is not supported on WebViews, so this feature does not change anything for WebView.


This feature is supported by the WebAuthn Devtools panel

Create a new authenticator with transport = "internal", resident key and user verification support to test it.

WebAuthn debugging in general is not supported on Android.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?


The feature requires support from the underlying OS. It will be supported on Win11+, Mac, and Android; with ChromeOS support coming later.

Support will be surfaced via PublicKeyCredential.isConditionalMediationAvailable().

Debugging support will be available on all desktop platforms from the start (including linux).

Is this feature fully tested by web-platform-tests?


DevTrial instructions

Flag name


Requires code in //chrome?


Tracking bug

Launch bug

Non-OSS dependencies

Windows WebAuthn API version 4 (Win11+). Android P+

Sample links

Estimated milestones


(Android, Win, Mac)


Anticipated spec changes

We got feedback to relax the restriction on empty allow lists, and will do this before shipping:

No other issues present at the time (see

Link to entry on the Chrome Platform Status

Links to previous Intent discussions

Ready for Trial:

This intent message was generated by Chrome Platform Status.


Google Logo
Nina Satragno
Ingeniera en Informática

Jeffrey Yasskin

Sep 19, 2022, 5:36:25 PM9/19/22
to Nina Satragno, blink-dev
On Mon, Sep 19, 2022 at 2:25 PM Nina Satragno <> wrote:


Interoperability and Compatibility

Very low: this is a new feature that's already implemented by Safari on their Technology Preview.

Gecko: No signal

It's probably worth filing a standards-position request for significant WebAuthn changes, even though I see from that we can't expect Mozilla to respond. 

Other than that: Yay!


Nina Satragno

Sep 19, 2022, 6:03:08 PM9/19/22
to Jeffrey Yasskin, blink-dev

Mike West

Sep 26, 2022, 3:50:34 AM9/26/22
to blink-dev, Nina Satragno, blink-dev, Jeffrey Yasskin

The internal privacy/security review concluded that the design of the developer flow's integration with an autofill prompt substantially mitigates privacy concerns around knowing whether the user has credentials. `isConditionalMediationAvailable` is tied to the underlying platform which we already reveal to the site through UA client hints and highly correlated with `isUserVerifyingPlatformAuthenticatorAvailable`, though it does allow marginal distinction between Win11+ and other Windows versions. Given that we're relying on the underlying platform authenticator, this is a leak we're unlikely to be able to address.

The benefits of driving more cross-browser usage of WebAuthn are substantially security-positive, however, and pushing the passkey story forward is a solid justification for shipping this mechanism IMO. Safari and Edge being on board mitigates to some extent the lack of engagement from Mozilla. Thank you for filing the standards position request anyway; I've poked some folks on the side to see if there's someone who might be interested in paying more attention.

In the meantime, good luck shipping this!


Yoav Weiss

Sep 26, 2022, 5:07:23 AM9/26/22
to Mike West, blink-dev, Nina Satragno, Jeffrey Yasskin

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Rick Byers

Sep 27, 2022, 10:52:39 AM9/27/22
to Yoav Weiss, Mike West, blink-dev, Nina Satragno, Jeffrey Yasskin

I'm really excited to see this ship. It seems likely to be a key to really unlocking widespread WebAuthn usage to me.


Reply all
Reply to author
0 new messages