- From: jychab via GitHub <noreply@w3.org>
- Date: Mon, 29 Sep 2025 11:44:19 +0000
- To: public-webauthn@w3.org
jychab has just created a new issue for https://github.com/w3c/webauthn:
== Feature Request: disableAutoSelect for PublicKeyCredentialRequestOptions ==
## Description
Browsers often auto-select a platform credential during navigator.credentials.get() if one exists. This speeds up sign-in but increases friction for users that wants to choose an alternative discoverable credentials (e.g. roaming keys, passkeys on another device).
Proposal:
Add an optional flag:
```
interface PublicKeyCredentialRequestOptions {
...,
disableAutoSelect?: boolean;
}
```
Behavior:
- If disableAutoSelect is true and allowCredentials is empty, the browser must not auto-select a platform credential.
- Instead, the browser presents all available discoverable credentials.
- Default behavior is unchanged when omitted or false.
Use cases:
- Users with both platform and roaming credentials who want to choose explicitly.
- Shared devices where auto-selecting the wrong platform credential could cause confusion.
Benefits:
- Explicit user choice, reducing risk of accidental or unintended sign-ins.
- Improves UX for multi-device, multi-account setups.
- Encourages adoption of roaming and cross-device passkeys.
Risks
- Slightly more friction for the user if the Relaying Party set the flag unnecessarily (users will always see a picker instead of seamless sign-in).
- No new security risk: it only reduces automation, doesn’t expand credential exposure.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2335 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 29 September 2025 11:44:20 UTC