Credential Management: Conditional Mediation

[nsatragno]

Nyanpasu~ TAG!

I'm requesting a TAG review of Credential Management: Conditional Mediation.

A new kind of mediation in credential management that instructs the user agent not to display UI unless the user has credentials. Designed to solve the bootstrapping problem when replacing passwords by WebAuthn credentials: websites should be able to fire a WebAuthn call while showing a regular password prompt without worrying about showing a modal dialog error if the device lacks appropriate credentials.

Conditional Mediation is built on top of credential management to allow integration with other credential types.

• Explainer¹ (minimally containing user needs and example code). Focuses on the WebAuthn use case.
• Specification URL
• Tests: not yet
• Security and Privacy self-review²
• Primary contacts (and their relationship to the specification):
  • Nina Satragno (@nsatragno), Google, editor.
  • Jeff Hodges (@equalsjeffh), Google, editor.
• Organization(s)/project(s) driving the specification: Google / WebAuthn WG
• Key pieces of existing multi-stakeholder review or discussion of this specification: CredMan PR discussion, WebAuthn issue and companion PR.
• External status/issue trackers for this specification: Chrome Status.

Further details:

• [X] I have reviewed the TAG's Web Platform Design Principles
• Relevant time constraints or deadlines: N/A
• The group where the work on this specification is currently being done: Web Authentication
• Major unresolved issues with or opposition to this specification: None.
• This work is being funded by: Google

You should also know that this feature has two parts: adding "Conditional Mediation" to Credential Management and the particular utilization of it by the WebAuthn spec. We would like to have TAG review the first part here. The second part is included in #686.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify nsatragno@ equalsjeffh@

[torgo]

Hi @nsatragno - we're looking at this (and the general topic of making webauthn more friendly) at our virtual f2f this week. A couple of questions: if the user does have an appropriate credential but they don't want to use it - for example, they want to log in as another identity - then what information does the web app know about the user's choice? If the web page displays a username and password dialog at the same time that the browser surfaces a webauthn UI of some kind to pick a credential, isn't that going to be confusing to the user? Since the web page won't know that the browser is supplying this UI (which seems important from a privacy & security standpoint) how is that expected to work? We can see the screenshot in the explainer under Conditional UI, but it isn't clear if this is the current status quo or if this is the aspirational UI.

Also: can you please bring the (well written!) explainer over to a markdown file in the appropriate webauthn repo? Also can we suggest that you link to this document from the explainer in order to help put this one in context?

[nsatragno]

Hi @torgo, thank you for looking into this! I have ported the explainer to a wiki file written in markdown on the WebAuthn repository.

I'll try to answer all the questions below:

if the user does have an appropriate credential but they don't want to use it - for example, they want to log in as another identity - then what information does the web app know about the user's choice?

The user agent will disclose a credential if and only if the user selects that webauthn credential and passes the local user verification challenge. For any other case, the user agent won't disclose anything at all. In other words, if they want to log-in with a different identity, the website will get no information at all through WebAuthn/Conditional UI. I have updated the explainer's privacy considerations to make this more clear.

If the web page displays a username and password dialog at the same time that the browser surfaces a webauthn UI of some kind to pick a credential, isn't that going to be confusing to the user?

Conditional UI is designed to integrate with the browser's existing autofill UI surface to address this, i.e. it should be no more confusing that the website offering to autofill a password

Since the web page won't know that the browser is supplying this UI (which seems important from a privacy & security standpoint) how is that expected to work?

Autofill surfaces and sign-in forms already deal with this UI dynamic, which we are leveraging for Conditional UI.

[torgo]

Hu @nsatragno - thanks for these responses and the updates. This looks good to us. We're excited to see WebAuthN enjoy enjoy more adoption (which we are also discussing in #686).