Conditional UI / Conditional Mediation / Passkey Autofill is a major feature of passkeys. This article explains what it is, how it works & how to implement it.
Vincent
Created: October 20, 2023
Updated: November 18, 2024
3. Conditional UI Benefits and Drawbacks
4. How does Conditional UI work?
5. Technical Requirements for Conditional UI
6.1 Full Conditional UI Example
6.2 Browser Compatibility Check
6.3 WebAuthn Autocomplete Token in Input Fields
6.4 Mediation Property in WebAuthn API Get Call
6.5 Cancellation of Conditional UI Flow
6.6 Conditional UI in Native Apps
6.6.1 Conditional UI in iOS Apps
6.6.2 Conditional UI in Android Apps
7. Conditional UI Examples in Different Devices / Browsers
7.1 Conditional UI in Windows 11 (22H2) + Chrome 118
7.2 Conditional UI in macOS Ventura (13.5.1) + Chrome 118
7.3 Conditional UI in macOS Ventrua 11 (13.5.1) + Safari 16.6
7.4 Conditional UI in Android 13 + Chrome 118
7.5 Conditional UI in iOS 17.1 + Safari 17.1
Our mission is to make the Internet a safer place , and the new login standard passkeys provides a superior solution to achieve that. Thats why we want to help you understanding passkeys and their characteristics better.
With the rapid adoption of passkeys (and the underlying WebAuthn protocol) authentication has become more secure and user friendly for many users. One of the standout advancements of passkeys has been the integration of Conditional UI, often referred to as "passkey autofill" or Conditional Mediation (in the following we stay with the term Conditional UI).
Despite its recent introduction and ongoing adoption by browsers, theres a noticeable gap in technical documentation and implementation advice for Conditional UI. This article aims to bridge that gap by explaining what Conditional UI is, how it works and how to tackle common challenges during its implementation.
Recent Articles
Conditional UI represents a new mode for passkeys / WebAuthn login processes. It selectively displays passkeys in a user interface (UI) only when a user has a discoverable credential (resident key), which is a type of passkey, registered with the relying party (the online service) stored in their authenticator of a device (e.g. laptop, smartphone). The passkeys are displayed in a selection dropdown that is mixed up with autofilled passwords, providing a seamless transition between traditional password systems and advanced passkey authentication, as users see both in the same context. This intelligent approach ensures that users aren't overwhelmed with unnecessary options and can navigate the login process more seamlessly.
The foundation of Conditional UI is built on three main pillars:
Ben Gould
Head of Engineering
I’ve built hundreds of integrations in my time, including quite a few with identity providers and I’ve never been so impressed with a developer experience as I have been with Corbado.
10,000+ devs trust Corbado & make the Internet safer with passkeys. Got questions? We’ve written 150+ blog posts on passkeys.
Join Passkeys CommunityIn the following,we provide a step-by-step breakdown of the single steps of an entire Conditional UI flow:
In general, the Conditional UI process flow can be partitioned in two phases. During the page load phase, Conditional UI logic happens in the background, while in the user operation phase, the user has to actively do something.
By following this process flow, Conditional UI offers a seamless and user- friendly authentication experience.
To get Conditional UI working, some general aspects need to be considered:
To get Conditional UI working on the client-side, the following requirements must be fulfilled:
To get Conditional UI working, some requirements on the server-side must be fulfilled as well:
Since the official roll out of Conditional UI in late 2022 and earlier beta versions, weve been testing and working extensively with it. In the following, we want to share with you practical tips that helped during the implementation of Conditional UI.
A full, minimalistic code example for a Conditional UI method would look like this:
Implement Conditional UI detection that ensures that Conditional UI is only employed when the current device / browser combination supports it. This should work without presenting user-visible errors in the absence of Conditional UI support. Incorporating the isConditionalMediationAvailable() method within the user interface addresses this concern. If Conditional UI support is given, the Conditional UI login process can be started.
The input field should receive a webauthn HTML autofill token. This signals the client to populate passkeys to the ongoing request. Besides passkeys, other autofill values might be showcased as well. These autofill tokens can be paired with other existing tokens, e.g.:
To retrieve available passkeys after having received the PublicKeyCredentialRequestOptions object, the navigator.credentials.get() function should be called (which serves both passkeys and passwords). The PublicKeyCredentialRequestOptions object needs to have the mediation parameter set to conditional to activate Conditional UI on the client.
If there's no available passkey, or the user neglects the suggested passkeys and enters their email, the Conditional UI flow is stopeed. This underscores the importance of always supporting the standard passkey / WebAuthn login via a modal as well.
A critical point to emphasize here is the potential need to halt an ongoing Conditional UI request. Contrary to modal experiences, autofill dropdowns lack a cancellation button. As per WebAuthn's design, only a single active credential request should be in progress at any given moment. The WebAuthn standard suggests utilizing an AbortController to cancel a WebAuthn process, applicable to both regular and Conditional UI login processes (see here for details).
The Conditional UI login process gets activated as soon as a user lands on the page. The initial task should be to create a globally-scoped AbortController object. This will act as a signal for your client to terminate the autofill request, especially if the user decides to do the regular passkey login process. Reassure that the AbortController can be invoked by other functions and is reset if the Conditional UI process has to restart. Employ the signal property within the navigator.credentials.get() call, incorporating your AbortController signal as its value. This signals to the passkey / WebAuthn function that the request must be halted if the signal gets aborted. Remember to set up a fresh AbortController each time you trigger Conditional UI. Using an already-aborted AbortController will lead to an instant cancellation of the passkey / WebAuthn function. The remaining steps align with a regular passkey login process. In the following, you see a code example of the mentioned steps:
In the absence of Conditional UI support, direct users towards the regular passkey login process. Offering this path is important for users relying on hardware security keys (e.g. YubiKeys) or those compelled to use non-resident keys / non-discoverable credentials due to authenticator constraints.
When you develop a native app, e.g. for iOS or Android, Conditional UI works as well. It doesnt matter if you implement it natively in Flutter, Kotlin or Swift, or if you decide to go with Chrome Custom Tabs CCT or SFSafariViewController or SFAuthenticationSession / ASWebAuthenticationSession. Both approaches support Conditional UI.
In general, we found almost no documentation on how to implement Conditional UI support for iOS apps. During our research, however, we discovered two ways of adding Conditional UI support to an iOS app, as the user experience will also differ.
Type A: Overlay / Popup over Almost Entire Screen
The first type A shows an overlay / popup that spans almost over the entire screen. Here, youll see all available passkeys for this relying party. A prominent example that implements Conditional UI this way is KAYAK. The overlay / popup emerges automatically, when the user opens the right screen.
Type B: Keyboard Autofill
The second type B displays a suitable passkey in the autofill section of the
keyboard (where also passwords are suggested for autofill). Clicking on the
suggest value will perform the Face ID authentication and lets you login. In
the current iOS app version of the Corbado developer panel, we have
implemented it this way (see the Sign in with passkey for <relying party ID>
message together with the WebAuthn username). To show up, the user
needs to tap into the input field:
This passkey autofill feature in the keyboard section might have issues when the iOS is freshly installed as apparently some kind of caching happens in the background that looks up all the available passkeys for this relying party.
Clicking on the key icon on the right of the suggested passkey leads to the known site for choosing passwords / passkeys in iOS:
Please note that we have not found official documentation, and our insights are based on our experiences and hypotheses rather than concrete proof of the proper implementation.
In Android, the story for Conditional is a bit clearer, as there is only one type for Conditional UI / passkey autofill that leverages the Android Credential Manager API (see the documentation here).
Opening the page where Conditional UI is implemented shows the following screen, where youll find different ways to sign in:
Clicking on More saved sign-ins provides more options to choose for the sign-in (including cross-device authentication and the selection of a different passkey sync platform, e.g. Samsung Pass or 1Password):
To illustrate how Conditional UI looks like for the end user, we added several screenshots of a Conditional UI autofill menu using https://passkeys.eu.
Passkeys, with its Conditional UI / passkey autofill capability, are the new way to authenticate online. As we transition to an era where passwords are more and more replaced by passkeys, the need for robust and user-friendly transition mechanisms is undeniable. This article has helped to understand how to correctly implement Conditional UI, a great help in the transition process, and which aspects to pay special attention to. To stay up-to-date about the latest developments in the world of passkeys and conditional UI, feel free to join our passkeys community.
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free