- From: Matthew Miller via GitHub <noreply@w3.org>
- Date: Fri, 24 Oct 2025 20:51:13 +0000
- To: public-webauthn@w3.org
> It doesn’t! Because you’ll still get Hybrid’d. The goal is to only show credentials that are local, and then have a “Passkey” button on the page that will make a full request, including Hybrid. You're right, I skipped over the point that immediate mediation is supposed to skip the auth attempt if hybrid seems to be the only option available 🤔 I still see the UX value in @kenrb's proposal as-is for the UX win. But I've been thinking through potential implications of if immediate mediation couldn't be the **try -> catch -> navigate to login/** pattern for sake of preserving user privacy. If **navigate to login/** was required first, then I think this feature simplifies to "add `mediation: "immediate"` to an otherwise standard `.get()` call, and the user agent will skip hybrid." But if that's the case, then we arguably wouldn't need to add a new enum for `mediation`: auth-time `hints: ["client-device"]` in the `.get()` call after **navigate to login/** might be existing API functionality that could achieve that behavior instead, with some refined guidance to user agents on how to handle auth-time hints... I re-reviewed the explainer with an eye on user privacy. Something I noticed is that the example use of immediate mediation features an **empty `allowCredentials`**. Would the **try -> catch -> navigate to login/** pattern be so bad for user privacy if there's a chance that the ceremony, with `allowCredentials: []` which doesn't reveal anything on its own, simply failed because the user's credential was on a security key in the other room/in a locked credential manager vault that was just too finicky to quickly unlock/etc...? The fact that the proposal takes a usernameless-centric stance on how to invoke immediate mediation doesn't seem as fingerprint-y as to whether the user has an account on the site or not. Question to @kenrb, does "transient activation" require intentional clicking of something on the page? Would e.g. scrolling the page count as transient activation? I skimmed MDN and the WHATWG HTML spec to try and understand UserActivation but it remained unclear. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2228#issuecomment-3444873586 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 October 2025 20:51:14 UTC