Intent to Ship: Web Authentication Conditional UI

[Nina Satragno]

Contact emails

nsat...@chromium.org, ke...@chromium.org, a...@chromium.org

Explainer

https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI

Specification

https://w3c.github.io/webauthn/#GetAssn-ConditionalMediation-Interact-FormControl

https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#attr-fe-autocomplete-webauthn

Design docs

https://docs.google.com/document/d/1KzEWP0aoLMZ0asfw6d3-7UHJ6csTtxLA478EgptCvkk

Summary

A new mode for WebAuthn that displays a credential selection UI only if the user has a discoverable credential registered with the Relying Party on their platform authenticator. The credential is displayed in autofill UI alongside username and password suggestions for sign-in fields. This solves the bootstrapping problem when replacing traditional username and password flows with WebAuthn: websites can fire a WebAuthn call while showing a regular password prompt without worrying about showing a modal dialog error if the device lacks appropriate credentials.

Websites must opt-in to the feature by triggering a conditional mediation WebAuthn request on a sign-in page.

Blink component

Blink>WebAuthentication

Search tags

webauthn, conditional ui, conditional mediation, web authentication

TAG review

https://github.com/w3ctag/design-reviews/issues/692

TAG review status

Approved

Risks

Interoperability and Compatibility

Very low: this is a new feature that's already implemented by Safari on their Technology Preview.

Gecko: No signal

WebKit: Shipped/Shipping in beta (https://developer.apple.com/videos/play/wwdc2022/10092) See around 16:20

Web developers: No signals

Other signals:

WebView application risks

WebAuthn is not supported on WebViews, so this feature does not change anything for WebView.

Debuggability

This feature is supported by the WebAuthn Devtools panel

https://developer.chrome.com/docs/devtools/webauthn/

Create a new authenticator with transport = "internal", resident key and user verification support to test it.

WebAuthn debugging in general is not supported on Android.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No

The feature requires support from the underlying OS. It will be supported on Win11+, Mac, and Android; with ChromeOS support coming later.

Support will be surfaced via PublicKeyCredential.isConditionalMediationAvailable().

Debugging support will be available on all desktop platforms from the start (including linux).

Is this feature fully tested by web-platform-tests?

Yes.

https://wpt.fyi/results/webauthn/conditional-mediation.https.html

https://wpt.fyi/results/html/semantics/forms/the-form-element/form-autocomplete.html

DevTrial instructions

https://webauthn-conditional-ui-demo.glitch.me

Flag name

--enable-features=WebAuthenticationConditionalUI

Requires code in //chrome?

Yes

Tracking bug

https://crbug.com/1171985

Launch bug

https://crbug.com/1349891

Non-OSS dependencies

Windows WebAuthn API version 4 (Win11+). Android P+

Sample links

https://webauthn-conditional-ui-demo.glitch.me

Estimated milestones

Launch (Android, Win, Mac)

108

Anticipated spec changes

We got feedback to relax the restriction on empty allow lists, and will do this before shipping: https://github.com/w3c/webauthn/issues/1793 crbug.com/1365669

No other issues present at the time (see https://github.com/w3c/webauthn/issues)

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5144633101778944

Links to previous Intent discussions

Ready for Trial: https://groups.google.com/a/chromium.org/g/blink-dev/c/laxVRNSzMVo

This intent message was generated by Chrome Platform Status.

--

Nina Satragno Ingeniera en Informática she/her nsat...@chromium.org

[Jeffrey Yasskin]

On Mon, Sep 19, 2022 at 2:25 PM Nina Satragno <nsat...@chromium.org> wrote:

...

Interoperability and Compatibility

Very low: this is a new feature that's already implemented by Safari on their Technology Preview.

Gecko: No signal

It's probably worth filing a standards-position request for significant WebAuthn changes, even though I see from https://groups.google.com/a/chromium.org/g/blink-dev/c/Vfg2o0peyYg/m/Vp0h8i5VBQAJ that we can't expect Mozilla to respond. 

Other than that: Yay!

Jeffrey

[Nina Satragno]

Filed https://github.com/mozilla/standards-positions/issues/692, thanks!

[Mike West]

LGTM1.

The internal privacy/security review concluded that the design of the developer flow's integration with an autofill prompt substantially mitigates privacy concerns around knowing whether the user has credentials. `isConditionalMediationAvailable` is tied to the underlying platform which we already reveal to the site through UA client hints and highly correlated with `isUserVerifyingPlatformAuthenticatorAvailable`, though it does allow marginal distinction between Win11+ and other Windows versions. Given that we're relying on the underlying platform authenticator, this is a leak we're unlikely to be able to address.

The benefits of driving more cross-browser usage of WebAuthn are substantially security-positive, however, and pushing the passkey story forward is a solid justification for shipping this mechanism IMO. Safari and Edge being on board mitigates to some extent the lack of engagement from Mozilla. Thank you for filing the standards position request anyway; I've poked some folks on the side to see if there's someone who might be interested in paying more attention.

In the meantime, good luck shipping this!

-mike

[Yoav Weiss]

LGTM2

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2391dbcc-4153-43e4-8354-a4cf6987f1edn%40chromium.org.

[Rick Byers]

LGTM3

I'm really excited to see this ship. It seems likely to be a key to really unlocking widespread WebAuthn usage to me.

Rick

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXVJ3ALRcCoZqcoeXThku0cymZOQZ1k-j8UQxszLmbn4g%40mail.gmail.com.