Re: [w3ctag/design-reviews] Web Authentication Immediate Mediation (Issue #1092) from Jeffrey Yasskin on 2025-12-09 (public-webapps-github@w3.org from December 2025)

From: Jeffrey Yasskin <notifications@github.com>
Date: Mon, 08 Dec 2025 20:23:44 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1092/3630215411@github.com>

jyasskin left a comment (w3ctag/design-reviews#1092)

Thanks for iterating on this review with us. After discussing it, we're not convinced that the proposed solution is well-matched to the problems that people want it to solve, and we're worried about adding complexity to the platform that may prove to be unnecessary.

Looking at the evolving user needs described in the [explainer](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation#goal), [this thread](https://github.com/w3ctag/design-reviews/issues/1092#issuecomment-2998115943), and the [WebAuthn issue](https://github.com/w3c/webauthn/issues/2228#issuecomment-3576797662), we're not sure the WebAuthn community is even aligned on what problems it wants this feature to solve. The community needs to have a shared idea of the problems before the TAG can effectively evaluate any proposed solution. It's fine for there to be multiple problems solved by a single proposal, but you shouldn't usually need to add new problems in response to review comments.

We're also concerned that the explainer and other threads don't present the best-possible alternative UI if this feature isn't adopted, and they don't show how existing sites have worked around any problems caused by the lack of this feature. We do appreciate the work that @kenrb put into writing the [comparison with Conditional UI](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation#comparison-to-conditional-ui), but we disagree that a browser dialog is a better user experience than an inline login form in most or all of those situations. This belief could be disproven by user studies or enough evidence from live websites, but that evidence hasn't been presented.

We're split about how heavily to weigh @rmondello's [concern](https://github.com/w3c/webauthn/issues/2228#issuecomment-3443764943), that `immediate` leaks the fact that a user has an account on a site, on the first visit to the site. We all agree that if a person uses browser UI to sign out of a site (e.g. by clearing its storage), they shouldn't have to also move to Private Mode to hide the fact that they have an account.

Because of the above, we're closing this with an "unsatisfied" resolution. We do think this is an important problem space, and we encourage the community to keep trying to figure out exactly what problems users need solutions for, and then what UX designs would best solve those problems. We look forward to reviewing the results.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1092#issuecomment-3630215411
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1092/3630215411@github.com>

Received on Tuesday, 9 December 2025 04:23:48 UTC