- From: Ken Buchanan via GitHub <noreply@w3.org>
- Date: Wed, 03 Dec 2025 21:13:21 +0000
- To: public-webauthn@w3.org
@jyasskin I think there is a miscommunication above. Immediate is a modal sign-in, and is an attempt to solve the problem that a site often doesn't know whether a user has an available passkey and therefore can't make a modal WebAuthn invocation without showing undesirable UI. You are correct that if the site _does_ know the user has an available passkey, they can make that invocation. We are addressing the first situation. > If an `immediate` uiMode is worthwhile, I would expect to find sites in the wild that do save their users' preferred login methods, in order to streamline subsequent login attempts. I don't recall ever encountering such a site in my own browsing, but maybe y'all know of some? PayPal is one example, and is also one of the sites that has expressed support for the Immediate proposal. If you use a passkey to sign in to PayPal, or create a passkey while already signed in, it appears to associate that information with a cookie or local storage after you log out. If you subsequently attempt to sign in again, it will make a modal passkey request and skip showing any other sign-in UI, so all I see is the browser dialog with my passkey. Having created a passkey for my account on my Mac, if I go to my Windows PC or my phone and try to log in to PayPal I am instead presented with a form asking me to enter my username or phone number. They do use conditional UI, so I can choose to use autofill to select either a username/password or a passkey to sign in. We are contending that the flow that uses the modal invocation is better than the one that does not. It appears that the TAG disagrees with that contention, even setting aside the privacy question and the proposed mitigations. I can't offer a strong empirical basis to support that, but I'd encourage people to compare the flows themselves. If the disagreement on this point stands then I don't think we can sway the TAG to support this proposal. -- GitHub Notification of comment by kenrb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3608863379 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 3 December 2025 21:13:22 UTC