Re: [webauthn] Add Immediate Mediation (#2291) from Kostas Pyliouras via GitHub on 2025-05-12 (public-webauthn@w3.org from May 2025)

From: Kostas Pyliouras via GitHub <sysbot+gh@w3.org>
Date: Mon, 12 May 2025 07:15:58 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2871177889-1747034155-sysbot+gh@w3.org>

> > This could still happen after the user navigates to the login page or exactly where it does now. It’s not random we leave it up to RPs - we had this exact same dicussion with WebAuthn user gestures for Safari and they were lifted. As someone responsible for large consumer RP implementations, I have problems seeing clearly how this approach helps for most pages.
> 
> The main advantage of not having a user gesture requirement for existing modal WebAuthn calls is that they can be used for re-auth, a use case for which immediate mediation isn't useful.
> 
I see your point, but my comment referred to the fact that continuously triggering WebAuthn requests hasn’t yet emerged as a significant abuse issue. WebKit also moved away from enforcing user gestures for WebAuthn, recognizing that plenty of alternative approaches are available to effectively rate-limit such behavior. For example, I can see why this is useful in cross-origin iframes.

> Immediate is aimed at scenarios in which a user has done something to indicate a sign-in is appropriate at that time. This isn't precisely replicating `preferImmediatelyAvailableCredentials` on mobile because the web has different privacy properties.
> 
> There is a separate proposal for a mode called Ambient, in which more subtle (non-modal) UI is displayed to offer the user an opportunity to sign-in, and would not require user activation. https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Ambient-Signin-UI
> 
> That proposal is still active.

I am aware; thank you, @kenrb. I greatly appreciate Chrome’s efforts to improve the passkey experience. Immediate mediation is helpful, but only precisely for the UI case you mentioned - it’s just challenging for some RP implementations. I was simply suggesting making it more broadly applicable; perhaps the ambient proposal would be better suited.

-- 
GitHub Notification of comment by kopy
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2291#issuecomment-2871177889 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 12 May 2025 07:15:59 UTC