Re: [w3ctag/design-reviews] Web Authentication Immediate Mediation (Issue #1092) from Ken Buchanan on 2025-06-23 (public-webapps-github@w3.org from June 2025)

From: Ken Buchanan <notifications@github.com>
Date: Mon, 23 Jun 2025 15:15:09 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1092/2998115943@github.com>

kenrb left a comment (w3ctag/design-reviews#1092)

It sounds like the central question you are asking is whether the use case is genuinely compelling, since no level of information leakage is acceptable if it does not provide substantial user benefit.

However, the set of cases where this is relevant is considerably wider than what you list.

A significant factor that hasn't been noted is that passkeys sync across devices. So a credential created on one device should become automatically available on another device, browser implementation, and/or profile, as long as the user's passkey provider is available there.

For example, suppose a user creates an account on a website while browsing on their phone, and saves a passkey to the platform or a third-party password provider. Later, using a desktop computer, they navigate to the same site. The site does not have any information about who the user is, when the user clicks a "Sign In" button on the page then this API enables the user agent to display the recently-created passkey.

We believe there is value in reducing the incidence of users encountering form-based sign-in pages on the web. They are often complex, offering multiple sign-in methods and putting the onus on the user to remember which one they need to use. This feature would provide a simple low-friction alternative for a user who has signalled their intent to sign in to the site.

The following situations are all cases where this feature would improve the user sign-in experience, because they require a site to have to offer all sign-in options:
- The user is browsing from a new profile, browser, or device.
- The user created an account on a different profile, browser, or device than they are currently using, and has not signed in on this one yet.
- The user has not visited the site within the window for the site's cookie expiry time, and cookies have been deleted. Many websites set short cookie expirations, for a variety of reasons, including regulations in some instances.
- The user has manually cleared cookies.
- The user wants to sign in with a different account than they previously signed in with.

You are right that sites can use cookies to offer simplified re-authentication flows when those cookies are available, but form-based sign-in pages are still commonly encountered on the web. We have received positive feedback from developers who believe this will improve the sign-in flow for their users.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1092#issuecomment-2998115943
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1092/2998115943@github.com>

Received on Monday, 23 June 2025 22:15:14 UTC