Skip to content

Add Immediate Mediation #2291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add Immediate Mediation #2291

wants to merge 6 commits into from
+75 −4

Conversation

kenrb
Copy link

@kenrb kenrb commented May 6, 2025
edited by pr-preview bot
Loading

This specifies the behaviour of the mediation: 'immediate'.

Issue: #2228
Explainer: https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation

Parallel PR adding the enum to Credential Management: w3c/webappsec-credential-management#272

Preview | Diff

kenrb and others added 6 commits April 29, 2025 20:56
@kenrb
Add Immediate Mediation mode
ce613c7 
This PR adds the Immediate Mediation mode for WebAuthn requests,
which shows discoverable credentials to the user if any are
silently found, or else throws a `NotAllowedError` if there are
none.

See the
[explainer](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-immediate-mediation) for more context.
A parallel PR to add the mode to the Credential Management
specification will be created.
@kenrb
Fix link issue
2550083
@kenrb
Tweaks
6ac83d0
@emlun @kenrb
Add JSON partial dictionaries for extensions
1f80905
@kenrb
Added some more bits
be131e3
@kenrb
Merge branch 'w3c:main' into immediate-mediation
1251885
@emlun emlun self-requested a review May 7, 2025 18:09
@kopy
Copy link

kopy commented May 8, 2025
edited
Loading

While I understand the privacy considerations underlying AllowList limitations, requiring explicit user activation significantly restricts practical usability at scale for this scenario:

  • Direct use on standard login pages (typical scenario for most websites) is the main issue addressed here. If an email input field is already visible, requiring further user activation for immediate mediation becomes unintuitive, as the user may have already started typing their email. A lot of websites have a profile or menu and not a "sign-in button" on the upper right or use "layers"

Removing the strict requirement for explicit user activation, aligning with existing first-party WebAuthn implementations, would substantially enhance usability. Immediate mediation could then seamlessly activate upon page rendering, offering a smoother authentication experience before users interact with input fields. Notably, every native implementation that supports preferImmediatelyAvailable—such as on Android and iOS—do not require a user activation.

Currently, adopting this approach broadly would necessitate extensive UI and workflow adjustments. Furthermore, login pages often redirect users to relying-party single sign-on systems, making UI changes challenging and potentially disrupting existing authentication workflows.

@Firstyear
Copy link
Contributor

Having webauthn prompts randomly trigger on a page load with no explanation or context for users, sounds like the exact opposite of good UX to me - it sounds a lot more like a path to confusion and frustration.

@kopy
Copy link

kopy commented May 8, 2025

Having webauthn prompts randomly trigger on a page load with no explanation or context for users, sounds like the exact opposite of good UX to me - it sounds a lot more like a path to confusion and frustration.

This could still happen after the user navigates to the login page or exactly where it does now. It’s not random we leave it up to RPs - we had this exact same dicussion with WebAuthn user gestures for Safari and they were lifted. As someone responsible for large consumer RP implementations, I have problems seeing clearly how this approach helps for most pages.

@kenrb
Copy link
Author

kenrb commented May 9, 2025

This could still happen after the user navigates to the login page or exactly where it does now. It’s not random we leave it up to RPs - we had this exact same dicussion with WebAuthn user gestures for Safari and they were lifted. As someone responsible for large consumer RP implementations, I have problems seeing clearly how this approach helps for most pages.

The main advantage of not having a user gesture requirement for existing modal WebAuthn calls is that they can be used for re-auth, a use case for which immediate mediation isn't useful.

Immediate is aimed at scenarios in which a user has done something to indicate a sign-in is appropriate at that time. This isn't precisely replicating preferImmediatelyAvailableCredentials on mobile because the web has different privacy properties.

There is a separate proposal for a mode called Ambient, in which more subtle (non-modal) UI is displayed to offer the user an opportunity to sign-in, and would not require user activation. https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Ambient-Signin-UI

That proposal is still active.

@kopy
Copy link

kopy commented May 12, 2025

This could still happen after the user navigates to the login page or exactly where it does now. It’s not random we leave it up to RPs - we had this exact same dicussion with WebAuthn user gestures for Safari and they were lifted. As someone responsible for large consumer RP implementations, I have problems seeing clearly how this approach helps for most pages.

The main advantage of not having a user gesture requirement for existing modal WebAuthn calls is that they can be used for re-auth, a use case for which immediate mediation isn't useful.

I see your point, but my comment referred to the fact that continuously triggering WebAuthn requests hasn’t yet emerged as a significant abuse issue. WebKit also moved away from enforcing user gestures for WebAuthn, recognizing that plenty of alternative approaches are available to effectively rate-limit such behavior. For example, I can see why this is useful in cross-origin iframes.

Immediate is aimed at scenarios in which a user has done something to indicate a sign-in is appropriate at that time. This isn't precisely replicating preferImmediatelyAvailableCredentials on mobile because the web has different privacy properties.

There is a separate proposal for a mode called Ambient, in which more subtle (non-modal) UI is displayed to offer the user an opportunity to sign-in, and would not require user activation. https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Ambient-Signin-UI

That proposal is still active.

I am aware; thank you, @kenrb. I greatly appreciate Chrome’s efforts to improve the passkey experience. Immediate mediation is helpful, but only precisely for the UI case you mentioned - it’s just challenging for some RP implementations. I was simply suggesting making it more broadly applicable; perhaps the ambient proposal would be better suited.

@kenrb kenrb mentioned this pull request May 12, 2025
Open
1 task
This was referenced Jun 2, 2025
Open
Open
@timcappalli timcappalli mentioned this pull request Jun 11, 2025
Closed
@martinthomson martinthomson mentioned this pull request Jul 1, 2025
Open
@zacknewman
Copy link
Contributor

Do we want an error to occur if an RP uses immediate mediation during credential registration, or is it sufficient to effectively treat it as an unknown enum value which in turn is treated as required?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emlun emlun Awaiting requested review from emlun

At least 1 approving review is required to merge this pull request.

Assignees

@kenrb kenrb

Labels
type:technical
Projects
None yet
Milestone
L4 (First Published Working Draft)
Development

Successfully merging this pull request may close these issues.
6 participants
@kenrb @kopy @Firstyear @zacknewman @MasterKale @emlun