-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for hinting at verbiage other than "sign in" during authentication #2086
Comments
This issue is already discussed in this WG (#1823) and I would like to support this issue and hope to leverage similar features to offer better UX. |
Yes, this seems like a duplicate of #1823. For the payment use case specifically, there is Secure Payment Confirmation which is an alternate API building on top of WebAuthn. |
That issue is closed, and this issue offers a bit more of a concrete proposal. I think the list from @Firehed above is a very pragmatic starting place for real-world RPs:
If this issue is closed, could we ask for #1823 to be opened instead of dropping the topic from this repo? |
@emlun SPC looks like an excellent API to handle the more complex use-cases - thanks for sharing that! Until browser support for that API improves, I suspect that RPs may use WebAuthn as it exists today for incremental progress towards the same goal even if they evolve to support SPC over time. In any case, I don't want to over-index on the payment use-case since WebAuthn is valuable for many other situations. For example, I suspect a lot of folks here have used it in Github settings screens to re-authenticate an active session prior to a sensitive action (adding an SSH key, changing email, etc). To expand on the proposed specifics a bit: const credential = await navigator.credentials.get({
publicKey: {
// ...
displayHints: ['value-in-discussion', 'confirm', 'sign-in'],
},
}) This would follow the same semantics of the existing Or for a more streamlined version, it could extend the existing const credential = await navigator.credentials.get({
publicKey: {
// ...
hints: ['security-key', 'confirm'],
},
}) This would represent prompting for a physical security key to confirm an action rather than signing in, and the user-agent could adjust the UI accordingly. Since the existing semantics of Enum-as-DOMString (§2.1.1) says to "handle" unknown values and the hints are provided in order of decreasing preference, this would allow RPs to provide both the transport hints and dialog texts in the same place. There's pros and cons to extending hints vs having a separate enumeration and |
Not opposed to this, but I think we should defer discussions to L4 based on existing work items, priorities, and the number of parties this impacts (it's not just browsers). /cc @nadalin |
Description
Currently, there's no way to influence the text shown to users during authentication, beyond the previously-registered name values. For the common case of signing in, the default text provided by user-agents is generally fine and appropriate. However, as WebAuthn and passkeys become more widely deployed, there are additional scenarios where users may be prompted to (re)authenticate where the common "sign in"1 text displayed isn't very appropriate.
In order to reduce user confusion in these scenarios, being able to better control the contents of the dialog displayed would be beneficial.
This could perhaps be an enhancement to the existing
PublicKeyCredentialHints
, or a similar additional (optional) structure, defaulting to the current behavior when omitted.Some use-cases that aren't well served by the existing text and could be enhanced:
Even being able to be consistent with a website's existing text ("log in" vs "sign in"), though not nearly as useful as updating the text for actions that aren't actually signing in. Being able to provide free-form text is not something I'd advocate for (yet), but a half-dozen or so predefined enum values could go a long way here.
None of this would change the actual authentication process or data; it's intended solely as a UX improvement to clarify to the end-user the result of using their passkey.
UI concept if the
pay
hint were used:Specifically in the payment area, I don't think the complexity of providing amounts to display in the dialog is worthwhile - it adds a lot of burden to all parties involved since it would invite stuff like "Subscribe for $6/wk for two months then $10/wk thereafter"
If this is a concept that people want to move forward with, I'd be more than happy to draft up the change more formally.
Related Links
This has been on the back of my mind for a while, and resurfaced thanks to #2084.
Footnotes
The current text already varies quite a bit by OS and browser ↩
The text was updated successfully, but these errors were encountered: