diff --git a/spec/index.bs b/spec/index.bs
index dc9cd521..64f59bf8 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -29,6 +29,8 @@ spec: ecma262; urlPrefix: https://tc39.github.io/ecma262/
 spec: credential-management-1; urlPrefix: https://w3c.github.io/webappsec-credential-management/
     type: dfn
         text: same-origin with its ancestors; url: same-origin-with-its-ancestors
+    type: dfn
+        text: requires user mediation; url: origin-requires-user-mediation
 </pre>
 
 <pre class=link-defaults>
@@ -458,8 +460,6 @@ This [=internal method=] accepts three arguments:
 
 </dl>
 
-NOTE: The |options|.{{CredentialRequestOptions/mediation}} flag is currently not used.
-
 The |options|.{{CredentialRequestOptions/signal}} is used as an abort signal for the
 requests.
 
@@ -492,8 +492,8 @@ algorithm is invoked, the user agent MUST execute the following steps. This retu
         method to throw an error. If there was no such timer, the developer could easily infer
         whether the user has an account with the [=IDP=] or not, or whether the user closed the UI without granting permission to share the [=IDP=] account information with the [=RP=].
     1. Let |provider| be |options|["{{CredentialRequestOptions/identity}}"]["{{IdentityCredentialRequestOptions/providers}}"][0].
-    1. Let |credential| be the result of running [=create an IdentityCredential=] with |provider| and
-        |globalObject|.
+    1. Let |credential| be the result of running [=create an IdentityCredential=] with |provider|,
+        |options|["{{CredentialRequestOptions/mediation}}"], and |globalObject|.
     1. If |credential| is failure, throw a new "{{NetworkError}}" {{DOMException}}.
     1. Return |credential|.
 </div>
@@ -507,44 +507,64 @@ agent UI, and creates the {{IdentityCredential}} that is then returned to the [=
 
 <div algorithm>
 To <dfn>create an IdentityCredential</dfn> given an {{IdentityProviderConfig}}
-|provider| and a |globalObject|, run the following steps. This returns an {{IdentityCredential}} or
-failure.
+|provider|, a {{CredentialRequestOptions/mediation}} |mediation|, and a |globalObject|, run the
+following steps. This returns an {{IdentityCredential}} or failure.
     1. Assert: These steps are running [=in parallel=].
+    1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s
+        [=requires user mediation=].
+    1. If |requiresUserMediation| is true and |mediation| is
+        "{{CredentialMediationRequirement/silent}}", return failure.
     1. Let |config| be the result of running [=fetch the config file=] with |provider| and
         |globalObject|.
     1. If |config| is failure, return failure.
     1. Let |accountsList| be the result of [=fetch the accounts list=] with |config|, |provider|,
         and |globalObject|.
     1. If |accountsList| is failure, return failure.
-    1. For each |account| in |accountsList|:
-        1. If |account|["{{IdentityProviderAccount/picture}}"] is present,
-            [=fetch the account picture=] with |account| and |globalObject|.
+    1. For each |acc| in |accountsList|:
+        1. If |acc|["{{IdentityProviderAccount/picture}}"] is present, [=fetch the account picture=]
+            with |acc| and |globalObject|.
 
         Note: The [=user agent=] may choose to show UI which does not initially require fetching the
         account pictures. In these cases, the [=user agent=] may delay these fetches until they are
         needed. Because errors from these fetches are ignored, they can happen in any order.
+    1. Let |registeredAccount|, |numRegisteredAccounts| be null and 0, respectively.
+    1. Let |account| be null.
+    1. For each |acc| in |accountsList|:
+        1. Let |accState| be the result of running the [=compute account state=] algorithm given
+            |provider| and |acc|.
+        1. If |accState| is {{registered}}, set |registeredAccount| to |acc| and increase
+            |numRegisteredAccounts| by 1.
     1. Let |permission| be false.
-    1. If |accountsList|'s size is 1:
-        1. Let |account| be |accountsList|[0].
-        1. Let |accountState| be the result of running the [=compute the connection status=] algorithm
+    1. If |mediation| is not "{{CredentialMediationRequirement/required}}", |requiresUserMediation|
+        is false, and |numRegisteredAccounts| is equal to 1:
+        1. Set |account| to |registeredAccount| and |accountState| to the result of running
+            [=compute account state=] algorithm given |provider| and |account|. When doing this,
+            the user agent MAY show some UI to the user indicating that they are being
+            auto-reauthenticated.
+    1. Otherwise, if |mediation| is "{{CredentialMediationRequirement/silent}}", return failure.
+    1. Otherwise, if |accountsList|'s size is 1:
+        1. Set |account| to |accountsList|[0].
+        1. Set |accountState| to the result of running the [=compute the connection status=] algorithm
             given |provider|, |account|, and |globalObject|.
-        1. If |accountState| is [=compute the connection status/disconnected=], set |permission|
-            to the result of running [=request permission to sign-up=] algorithm with |account|,
-            |config|, |provider|, and |globalObject|.
+        1. If |accountState| is [=compute the connection status/disconnected=],
+            let |permission| be the result of running [=request permission to sign-up=] algorithm
+            with |account|, |accountState|, |config|, |provider|, and |globalObject|.
         1. Otherwise, show a dialog to request user permission to sign in via |account|, and set the
             result in |permission|.
     1. Otherwise:
-        1. Let |account| be the result of running the [=select an account=] from the
+        1. Set |account| to the result of running the [=select an account=] from the
             |accountsList|.
         1. If |account| is failure, return failure.
-        1. Let |accountState| be the result of running the [=compute the connection status=] algorithm
+        1. Set |accountState| to the result of running the [=compute the connection status=] algorithm
             given |provider| and |account|.
         1. If |accountState| is [=compute the connection status/disconnected=]:
             1. Let |permission| be the result of running the [=request permission to sign-up=]
                 algorithm with |account|, |config|, |provider|, and |globalObject|.
         1. Otherwise, set |permission| to true.
-    1. Wait until the [=user agent=]'s dialog is closed.
-    1. If |permission| is false, return failure.
+    1. Wait until the [=user agent=]'s dialogs requesting for user choice or permission to be
+        closed, if any are created in the previous steps.
+    1. Assert: |account| is not null.
+    1. If |permission| is false, then return failure.
     1. Let |credential| be the result of running the [=fetch an identity assertion=] algorithm with
         |account|'s {{IdentityProviderAccount/id}}, |provider|, |config|, and
         |globalObject|.