Re: [w3ctag/design-reviews] Web Authentication Immediate Mediation (Issue #1092)

jyasskin left a comment (w3ctag/design-reviews#1092)

We [discussed this proposal this week](https://github.com/w3ctag/meetings/blob/gh-pages/2025/telcons/06-30-minutes.md#design-reviews1092-web-authentication-immediate-mediation---martinthomson), and I was left with the task to figure out if I actively support the feature. To help with that, I had a question from me rather than the TAG as a whole:

* Is there an illustration of the benefit of `immediate` mediation over `conditional`? I see [a flow without `conditional` mediation](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation#background) and [a flow with `immediate` mediation](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation#example-use-cases), but nothing showing how the `conditional` autofill flow within the [username] box compares. Maybe there's a problem that the user needs to click that field, which could be alleviated if we give sites an imperative way to show that autofill prompt? Maybe it's that the user needs to click in the autofill box before seeing the system selector, which could be fixed if `conditional` let the page mark that it ought to show the system selector right away?

Given that `credentials.get({'password': true})` also rejects instantly if the user hasn't stored any passwords (https://www.w3.org/TR/credential-management-1/#security-timing), I think we don't need _much_ benefit of `immediate` over `conditional`, but there ought to be _some_ just to justify the increased platform complexity.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1092#issuecomment-3033773998
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1092/3033773998@github.com>