Client terminology hints for external authenticator form factors

[timcappalli]

Description

Most WebAuthn clients today use the "security key" terminology in authenticator / credential selection dialogs to represent external authenticators. Additional form factors have been introduced in the market such as cards, rings, and badges, and there has been some feedback that this can be confusing to users in some environments.

An example is a payment card with an embedded passkey that can be used via NFC.

We should consider addressing this as part of a wider "client terminology hints" effort to include #2086, in Level 4.

---

A rough proposal would be a new optional object in the request with two members, one for form factor and one for "action" (#2086). formFactor would accept an ordered list (values from an enum) and action would accept a single value (from an enum).

(uiTextHints is not great. need other suggestions.)

{
  "challenge": "",
  "timeout": 60000,
  "rpId": "mybank.com",
  "userVerification": "required",
  "hints": [
    "security-key"
  ],
  "uiTextHints": {
    "formFactor": [
      "card",
      "security-key"
    ],
    "action": "authorize"
  }
}

[timcappalli]

Alternative (option 2)

{
  "challenge": "",
  "timeout": 60000,
  "rpId": "mybank.com",
  "userVerification": "required",
  "hints": [
    "card",
    "security-key"
  ],
  "purpose": "authorize"
  }
}

[timcappalli]

Proposed list of new hints:

• card
• badge
• ring
• contact-card
• contactless-card

[timcappalli]

2025-11-13 TPAC: general agreement to proceed with proposal 2.