- From: Ricky Mondello via GitHub <noreply@w3.org>
- Date: Fri, 24 Oct 2025 17:05:12 +0000
- To: public-webauthn@w3.org
> [@rmondello](https://github.com/rmondello) Thank you for the response. > > If the promise doesn't resolve in the case where there are no credentials, then I believe this becomes almost identical to the [Ambient UI proposal](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Ambient-Signin-UI) (which hasn't been fully developed, but is something we are still thinking about). > > The two proposals are intended to address different use cases. The goal with Immediate is to provide the site a way to trigger WebAuthn UI if a passkey is present, or provide a different option to the user (such as a traditional sign-in page, or a different signed-out experience) if one is not present. For example: Without leaking the existence of a credential, it would not be possible for a site to do a WebAuthn call directly in response to a user's click on a "Sign In" button on the site's home page, resulting in an in-context sign-in. I can see how the shape of what I’m proposing for “immediate” and the ambient proposal are isomorphic, but since the intended use case and behavior in the UA are so different, they’re different, right? > Ambient would allow sites to attempt to (conditionally) trigger WebAuthn browser UI at an arbitrary time (on a sign-in page, on the home page, or wherever). Immediate aims specifically to enable a conditional trigger in response to a user action, and in particular where the site wants the semantics of "show passkey sign-in UI, _or_ do something else". That isn't possible without the information leakage that we are discussing, but in our view the use case is compelling enough to warrant the trade-off. I think it would be OK to load a sign-in page behind the modal that comes up when a user clicks “Sign In”. I think in some testing that Google did in the past, having sign-in related content behind browser UI actually improved sign-in success rates. Can you tell me more about what isn’t possible without the feedback to the RP? -- GitHub Notification of comment by rmondello Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3444105187 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 October 2025 17:05:12 UTC