Signal API for passkeys is now available on Chrome for Android.

A user deletes their credential on the website, but the passkey remains in their passkey provider. The next time they try to sign in, the passkey provider offers a passkey that no longer works. A sign-in attempt will surely fail and this is such a bad experience.

The Signal API solves this by allowing your website to "signal" the current state of credentials to the passkey provider. You can tell the provider to delete invalid passkeys or update metadata, ensuring a seamless sign-in experience.

Learn more: https://developer.chrome.com/blog/signal-api-android

Capturing the overview of passkeys is difficult, especially if you are chasing updates. I wrote a personal blog post that captures an end of 2025 version of passkey keywords so you know what to learn.

Key terminologies to get a grasp of passkeys
https://blog.agektmr.com/en/2025/12/passkey-keywords.html

4 new ways Chrome autofill will simplify your holidays
https://blog.google/products/chrome/autofill-improvements/
Chrome can now remember your loyalty card and flight details for faster submission, along with an improved autofill experience on Android.

RE: https://infosec.exchange/@agektmr/115245262164960496

I'm in SYD to give this talk at Web Directions Developer Summit. See you there.

Hallway conversations are some of our #w3cTPAC attendees favorite parts of the week.

We’ll be sharing more photos throughout the week. Attendees, please feel free to share your own!

For those coming to Japan to attend TPAC, welcome! Hope you enjoy your stay here.

@paul @AlesandroOrtiz @developers This is now fixed. Thanks for the report!
https://developer.chrome.com/blog/fedcm-chrome-142-updates

@paul @AlesandroOrtiz @developers Thanks for the report! We'll fix it soon.

i'm glad that no matter what the current state of the world is We get to witness the japanese gboard team's descent into insanity

DBSC (Device Bound Session Credentials) has started its second origin trial on Chrome .

DBSC is a browser mechanism that allows websites to bind session credentials such as cookies to a device so that it can mitigate chances for cookie thefts. In this origin trial, we have changed some header names, jwt schema, http status and so on. With origin trial, you can allowlist your website domain to enable the feature.

Learn more from: https://developer.chrome.com/blog/dbsc-origin-trial-update

@Jespertheend `NotAllowedError` indicates conditions didn't meet https://developer.chrome.com/docs/identity/webauthn-conditional-create?hl=en#ignore_the_exceptions_gracefully
Unfortunately, passwordless flows are not supported in general. I'm not aware of any plans to support passwordless flows.

@Jespertheend it's already available on all Chrome desktop platforms.
https://developer.chrome.com/blog/passkey-automatic-upgrades
And because Safari on iOS26 supports it, Chrome there also supports it.

One correction: The feature is still in beta and available from next stable version—Chrome 142.

Chrome for Android can now help users adopt passkeys more seamlessly.

If a user signs in with a saved password, your website can request that Google Password Manager (GPM) create a passkey automatically using a WebAuthn API feature called "Conditional Create". Chrome does not interrupt the user. After creation, Chrome shows a brief confirmation and a Manage button that opens the new passkey in Google Password Manager settings. Users can turn this feature off in Google Password Manager settings.

This feature has been available on Chrome desktop, but it's now available on Android too!

Learn more: https://developer.chrome.com/blog/automatic-passkey-creation-android

Digital Credentials API is now available on Chrome!

Thanks everyone for participating in and sending feedback to the Digital Credentials API origin trial. After some refinement, we've successfully shipped Digital Credentials API on Chrome starting in its version 141.

With Digital Credentials API, users can prove their identity using a digital credential served from one of digital wallets they have, such as Google Wallet. These credentials are carefully designed so only necessary part can be presented, for example, age verification is possible without revealing the birth day.

Continue to the announcement to learn more:
https://developer.chrome.com/blog/digital-credentials-api-shipped

Excited to be speaking at FIDO Alliance's Authenticate US 2025 with my amazing colleague Niharika Arora about "𝐖𝐡𝐚𝐭’𝐬 𝐧𝐞𝐰 𝐨𝐧 Google 𝐩𝐥𝐚𝐭𝐟𝐨𝐫𝐦s 𝐟𝐨𝐫 𝐏𝐚𝐬𝐬𝐤𝐞𝐲𝐬"
https://authenticatecon.com/event/authenticate-2025/

Happy to catch-up if you are joining and discuss all Identity things!

Excited to be delivering State of identity and authentication on the web at Web Directions Developer Summit in Sydney (and online) November 19 and 20, and I'd love to see you there.
https://webdirections.org/dev-summit/speakers/eiji-kitamura.php

Get $200 off in person with the code "eijidevsummit25" and $100 off a streaming ticket with the code "eijidevsummit25streaming".

Learn more at https://webdirections.org/dev-summit , and hope to see you there!

@mcrocker @faoluin FIDO/WebAuthn looks a superior superset of SQRL to me. But I see your point.

@mcrocker @faoluin I haven't read the spec in details, but who owns the SQRL client? Where does the private key go after creating an account? What happens when the user switches to a new device?

@mcrocker I see what you mean, but strict security and open source solutions aren't always the best combination. Platforms want to keep non-tech savvy people safe by designing things robust and easy to use, but that can keep flexible solutions like open source products away. At least, we are trying to keep them in the ecosystem yet. Let me know what you think are missing now.