Re: [webauthn] Allow immediate mediation (#2228)

@rmondello Thank you for the response.

If the promise doesn't resolve in the case where there are no credentials, then I believe this becomes almost identical to the [Ambient UI proposal](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Ambient-Signin-UI) (which hasn't been fully developed, but is something we are still thinking about).

The two proposals are intended to address different use cases. The goal with Immediate is to provide the site a way to trigger WebAuthn UI if a passkey is present, or provide a different option to the user (such as a traditional sign-in page, or a different signed-out experience) if one is not present. For example: Without leaking the existence of a credential, it would not be possible for a site to do a WebAuthn call directly in response to a user's click on a "Sign In" button on the site's home page, resulting in an in-context sign-in.

Ambient would allow sites to attempt to (conditionally) trigger WebAuthn browser UI at an arbitrary time (on a sign-in page, on the home page, or wherever). Immediate aims specifically to enable a conditional trigger in response to a user action, and in particular where the site wants the semantics of "show passkey sign-in UI, _or_ do something else".  That isn't possible without the information leakage that we are discussing, but in our view the use case is compelling enough to warrant the trade-off.

> With this kind of change made to the proposal, I can see Apple getting fully onboard.

Understood. If this is Apple's response to the request for a standards position, can that be added to [the issue](https://github.com/WebKit/standards-positions/issues/504)?

-- 
GitHub Notification of comment by kenrb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3444029959 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 October 2025 16:37:22 UTC