- From: Eric Stern via GitHub <sysbot+gh@w3.org>
- Date: Thu, 13 Jun 2024 20:48:13 +0000
- To: public-webauthn@w3.org
Firehed has just created a new issue for https://github.com/w3c/webauthn:
== Add support for hinting at verbiage other than "sign in" during authentication ==
## Description
Currently, there's no way to influence the text shown to users during authentication, beyond the previously-registered name values. For the common case of signing in, the default text provided by user-agents is generally fine and appropriate. However, as WebAuthn and passkeys become more widely deployed, there are additional scenarios where users may be prompted to (re)authenticate where the common "sign in"[^1] text displayed isn't very appropriate.
In order to reduce user confusion in these scenarios, being able to better control the contents of the dialog displayed would be beneficial.
This could perhaps be an enhancement to the existing `PublicKeyCredentialHints`, or a similar additional (optional) structure, defaulting to the current behavior when omitted.
Some use-cases that aren't well served by the existing text and could be enhanced:
- Confirming a payment, donation, or subscription
- Authorizing a sensitive action in an existing session (e.g. "sudo mode")
- Using WebAuthn as a second factor to an existing session
Even being able to be consistent with a website's existing text ("log in" vs "sign in"), though not nearly as useful as updating the text for actions that aren't actually signing in. Being able to provide free-form text is not something I'd advocate for (yet), but a half-dozen or so predefined enum values could go a long way here.
None of this would change the actual authentication process or data; it's intended solely as a UX improvement to clarify to the end-user the result of using their passkey.
```ts
enum PublicKeyCredentialInterfaceHints {
"sign-in",
"log-in",
"pay",
"subscribe",
"confirm"
};
```
UI concept if the `pay` hint were used:
Specifically in the payment area, I don't think the complexity of providing amounts to display in the dialog is worthwhile - it adds a lot of burden to all parties involved since it would invite stuff like "Subscribe for $6/wk for two months then $10/wk thereafter"
If this is a concept that people want to move forward with, I'd be more than happy to draft up the change more formally.
## Related Links
This has been on the back of my mind for a while, and resurfaced thanks to #2084.
[^1]: The current text already varies quite a bit by OS and browser
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2086 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 13 June 2024 20:48:13 UTC