webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard
verified publisher icon w3c

Client terminology hints for external authenticator form factors

Open timcappalli opened this issue 1 month ago • 3 comments

Description

Most WebAuthn clients today use the "security key" terminology in authenticator / credential selection dialogs to represent external authenticators. Additional form factors have been introduced in the market such as cards, rings, and badges, and there has been some feedback that this can be confusing to users in some environments.

An example is a payment card with an embedded passkey that can be used via NFC.

We should consider addressing this as part of a wider "client terminology hints" effort to include #2086, in Level 4.

A rough proposal would be a new optional object in the request with two members, one for form factor and one for "action" (#2086). formFactor would accept an ordered list (values from an enum) and action would accept a single value (from an enum).

(uiTextHints is not great. need other suggestions.)

{
  "challenge": "",
  "timeout": 60000,
  "rpId": "mybank.com",
  "userVerification": "required",
  "hints": [
    "security-key"
  ],
  "uiTextHints": {
    "formFactor": [
      "card",
      "security-key"
    ],
    "action": "authorize"
  }
}

timcappalli avatar Nov 12 '25 02:11 timcappalli

Alternative (option 2)

{
  "challenge": "",
  "timeout": 60000,
  "rpId": "mybank.com",
  "userVerification": "required",
  "hints": [
    "card",
    "security-key"
  ],
  "purpose": "authorize"
  }
}

timcappalli avatar Nov 13 '25 05:11 timcappalli

Proposed list of new hints:

  • card
  • badge
  • ring
  • contact-card
  • contactless-card

timcappalli avatar Nov 13 '25 06:11 timcappalli

2025-11-13 TPAC: general agreement to proceed with proposal 2.

timcappalli avatar Nov 13 '25 06:11 timcappalli