In this page, you can experience authentication through a form that can accommodate passkeys and passwords. We call it "passkey form autofill" flow. In addition, WebAuthn Signal API deletes a passkey when it's unusable. ## How to use Put your cursor on the username field and form autofill suggestions should appear. The list contains passkeys and passwords that are stored to the password manager, so you can select one to proceed signing in. If you haven't created a passkey on this website yet, you can enter an arbitrary username and continue. You can enter a random password in the next page to create an account. The password will be ignored. If you do have entries in the password manager: * Select a password entry, and associated username will be filled in the username field, so that you can **Continue** to enter a password. * Select a passkey entry, and a passkey dialog will appear to proceed with user verification, and you'll be signed in. If your sign-in attempt is rejected by the server because the public key is not found on the server, the password manager will delete the passkey to avoid further confusion. This is done by WebAuthn Signal API. ## How to develop ### Passkey form autofill You can enable passkey form autofill by appending `mediation: "conditional"` to the `navigator.credentials.get()` call to an ordinary passkey authentication invocation. Also, the `input` element must contain `webauthn` within its `autocomplete` attribute. You can learn passkey basic development through: * [Sign in with a passkey through form autofill](https://web.dev/articles/passkey-form-autofill) * [Server-side passkey authentication](https://developers.google.com/identity/passkeys/developer-guides/server-authentication) * [Implement passkeys with form autofill in a web app](https://goo.gle/passkeys-codelab) ### WebAuthn Signal API If your sign-in attempt with a passkey fails on the server after a successful user verification, it's most likely due to the signature not verified on the server, because the public key is not found. In such a circumstance, keeping the passkey in the passkey provider is nothing but confusing. By using Signal API, the RP can let the passkey provider know a specific passkey is not known to the RP, so that it can delete the matching passkey from the passkey provider, if it supports the feature. * [Keep passkeys consistent with credentials on your server with the Signal API](https://developer.chrome.com/docs/identity/webauthn-signal-api)