- From: Ricky Mondello via GitHub <noreply@w3.org>
- Date: Fri, 24 Oct 2025 15:39:46 +0000
- To: public-webauthn@w3.org
I love the idea of being able to skip Hybrid and other non-immediately available credentials in certain WebAuthn calls. I can see it delivering much smoother sign-in experiences for users that remove a lot of the cognitive load of signing in. However, I think it is problematic that such a call will leak information to the RP about whether the user has a saved passkey for the website. I think this could be remedied while delivering almost all of the value of the proposal by making immediate mediation a little more like conditional mediation, where there’s no immediate return value to the RP. The RP providers handlers for if the user goes ahead to sign in with a passkey, but if the user agent didn’t have any credentials to show in modal UI, rather than immediate signal that state, the callback simply is not called. A thoughtful user agent would also need to ensure that the Page Visibility API doesn’t leak the fact that modal UI is showing. With this kind of change made to the proposal, I can see Apple getting fully onboard. -- GitHub Notification of comment by rmondello Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3443764943 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 October 2025 15:39:47 UTC