- From: Kostas Pyliouras via GitHub <sysbot+gh@w3.org>
- Date: Thu, 08 May 2025 09:02:22 +0000
- To: public-webauthn@w3.org
While I understand the privacy considerations underlying AllowList limitations, requiring explicit user activation significantly restricts practical usability at scale for this scenario: - **Direct use on standard login pages (typical scenario for most websites)** is the main issue addressed here. If an email input field is already visible, requiring further user activation for immediate mediation becomes unintuitive, as the user may have already started typing their email. A lot of websites have a profile or menu and not a "sign-in button" on the upper right Removing the strict requirement for explicit user activation, aligning with existing first-party WebAuthn implementations, would substantially enhance usability, particularly for the third scenario. Immediate mediation could then seamlessly activate upon page rendering, offering a smoother authentication experience before users interact with input fields. Notably, every native implementation that supports `preferImmediatelyAvailable`—such as on Android and iOS—does not require a user activation. Currently, adopting this approach broadly would necessitate extensive UI and workflow adjustments. Furthermore, login pages often redirect users to relying-party single sign-on systems, making UI changes challenging and potentially disrupting existing authentication workflows. -- GitHub Notification of comment by kopy Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2291#issuecomment-2862303507 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 8 May 2025 09:02:23 UTC