Re: [w3ctag/design-reviews] Credential Management: Conditional Mediation (Issue #692)

Hi @torgo, thank you for looking into this! I have [ported the explainer to a wiki file written in markdown on the WebAuthn repository](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI).

I'll try to answer all the questions below:

> if the user does have an appropriate credential but they don't want to use it - for example, they want to log in as another identity - then what information does the web app know about the user's choice?

The user agent will disclose a credential if and only if the user selects that webauthn credential and passes the local user verification challenge. For any other case, the user agent won't disclose anything at all. In other words, if they want to log-in with a different identity, the website will get no information at all through WebAuthn/Conditional UI. I have updated the [explainer's privacy considerations](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI#privacy-considerations) to make this more clear.

> If the web page displays a username and password dialog at the same time that the browser surfaces a webauthn UI of some kind to pick a credential, isn't that going to be confusing to the user?

Conditional UI is designed to integrate with the browser's existing autofill UI surface to address this, i.e. it should be no more confusing that the website offering to autofill a password   

> Since the web page won't know that the browser is supplying this UI (which seems important from a privacy & security standpoint) how is that expected to work? 

Autofill surfaces and sign-in forms already deal with this UI dynamic, which we are leveraging for Conditional UI.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/692#issuecomment-990192260