webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Provide a way for Web Extensions to hook into browser's Passkey autofill UI

Open arianvp opened this issue 1 year ago • 4 comments

Description

Password Managers are rolling out Passkey support and they're doing this by monkey-patching navigator.credentials.get . This is leading to a lot of confusion with users as suddenly native Passkey autofill (conditional mediation) breaks and instead a non-native pop-up opens when the website loads.

image

This breaks all the nice usability features of Passkeys.

I have a lot of complaints of colleagues (As we're both using 1Password and Passkeys) that they can not log in anymore and I need to explain them to instead of expecting the nice Autofill flow from Safari they need to click the little "Security Key" icon in the 1Password popup. The problem is that I don't think 1Password can do any better within the constraints of the current API. And we need to provide them with the tools to build a nicer integration.

1Password's implementation currently does the following:

  1. Intercept the call with mediation: conditional
  2. Show 1password UI
  3. if you dismiss it, rewrites the navigator.credentials.get() call to be non-conditional. Triggering a modal flow. Note: I think they have no option here as it's not possible to trigger the conditional mediation flow from a web extension? (Not sure about this).

Solution

Stop gap solution:

If an extension intercepts a navigator.credentials.get({mediation:"conditional"l}) call it should be able to call navigator.credentials.get({mediation:"conditional"l}) again after dismissing the extension-specific logic; such that the browser autofill gets triggered.

Ideal solution:

Web Extensions should not be forced to monkey-patch navigator.credentials.get and break native autofill behaviour. Instead they should be provided with hooks to augment the autofill UI and add their own entries in the list.

Other options

Disable Password Manager.

Related Links

Notes

Perhaps this discussion should be made in the Web-Extensions group. But given people here are domain experts about how the browser integration for webauthn are built I think discussion here is useful. We could then make a proposal for an API to the WebExtensions WG

arianvp avatar Sep 26 '23 08:09 arianvp