Re: [webauthn] Allow immediate mediation (#2228) from Kostas Pyliouras via GitHub on 2025-01-27 (public-webauthn@w3.org from January 2025)

From: Kostas Pyliouras via GitHub <sysbot+gh@w3.org>
Date: Mon, 27 Jan 2025 17:17:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2616415958-1737998265-sysbot+gh@w3.org>

@kenrb @deephand: Have you considered a user consent-driven approach on the web? 


Instead of requiring a user gesture for immediate mediation (which has proven to be a [bad](https://www.corbado.com/blog/safari-webauthn-user-activated-events) idea), an automatic flow could leverage explicit, browser-level consent (e.g. after credential creation or use). Users could opt (after an RP requests that) in to allow the RP to initiate a WebAuthn ceremony automatically (with user verification) when visiting a page, clicking a login button, or navigating to a login page. This consent would allow the RP to infer credential availability without breaking privacy guarantees, as the browser would manage storage, control, and permission. It also enables the use of AllowCredentials after identifier-first flows, aligning with natural login flows users already expect. As there is user consent using AllowCredentials becomes and option. 



-- 
GitHub Notification of comment by kopy
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-2616415958 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 27 January 2025 17:17:48 UTC