Subscribe to the Non-Human & AI Identity Journal
Home Glossary Architecture & Implementation Patterns Conditional Mediation
Architecture & Implementation Patterns

Conditional Mediation

← Back to Glossary
By NHI Mgmt Group Updated July 10, 2026 Domain: Architecture & Implementation Patterns

A WebAuthn pattern that lets the browser offer a passkey inside the existing sign-in experience rather than forcing a separate prompt. It improves discoverability and reduces friction because the user encounters passkeys where credentials already live, not as a new login method to learn.

Expanded Definition

Conditional Mediation is a WebAuthn user experience pattern that surfaces passkeys inside an existing sign-in flow when the browser and platform can mediate discovery, rather than sending the user to a separate authentication prompt. In practice, it is part of a broader shift toward passkey-first login, where the operating system or browser helps the user select a credential at the moment sign-in is already expected.

This pattern matters because it changes where authentication choice happens. Instead of teaching users to start from a dedicated passkey button, conditional mediation lets the login page present passkeys alongside usernames, passwords, or autofill options. That improves discoverability and reduces friction, but it also means the site must be designed to tolerate multiple credential paths without confusing the user or weakening assurance. The surrounding controls should align with guidance in the Web Authentication: An API for accessing Public Key Credentials Level 2 specification and the browser-supported mediation model.

Definitions vary across vendors when they describe the user journey, because some treat conditional UI as a passkey adoption feature while others frame it as a browser credential mediation capability. The most common misapplication is treating conditional mediation as a security control by itself, which occurs when teams assume browser surfacing automatically enforces stronger authentication without verifying the relying party configuration.

Examples and Use Cases

Implementing conditional mediation rigorously often introduces UX and platform-compatibility constraints, requiring organisations to weigh lower login friction against the need to support older browsers and mixed credential populations.

  • A consumer portal shows passkeys in the same username field where the user already begins sign-in, reducing abandoned logins on mobile devices.
  • An enterprise app uses conditional mediation during password migration so employees can adopt passkeys without learning a separate entry point.
  • A help desk-facing application keeps legacy passwords available for break-glass scenarios while offering passkeys as the default path for supported browsers.
  • A high-risk admin console pairs conditional mediation with phishing-resistant authentication policy, so the browser can suggest a passkey without replacing assurance checks.
  • Teams reviewing post-incident authentication improvements use the pattern documented in the New York Times breach as a reminder that usable login paths matter when credential compromise forces rapid redesign.

For implementation guidance, organisations also map the flow to NIST SP 800-53 Rev 5 Security and Privacy Controls so the convenience layer does not bypass authentication requirements or session handling rules.

Why It Matters in NHI Security

Conditional mediation is important in NHI security because it illustrates a recurring governance lesson: the easiest credential path is often the one users will adopt. When passkeys are surfaced naturally, organisations can reduce password dependence and lower the chance that users fall back to weaker, more phishable methods. That is especially relevant in environments where identity compromise is driven by credential reuse, social engineering, or overloaded sign-in choices.

NHI Management Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and that 79% of organisations have experienced secrets leaks with 77% causing tangible damage, a sign that authentication usability and credential hygiene are connected across both human and non-human identity programs. The same lesson applies to login design: if a safer path is awkward, users and administrators often route around it. Conditional mediation therefore becomes a governance concern, not just a product feature, because it influences whether secure authentication is actually used. It also supports broader access-control expectations in frameworks such as NIST SP 800-53 Rev 5 Security and Privacy Controls and the WebAuthn model described by the W3C Web Authentication specification.

Organisations typically encounter the operational cost of ignoring conditional mediation only after password fatigue, support tickets, or account takeover incidents expose that the preferred authentication path was never truly usable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63AAL2WebAuthn passkey mediation supports phishing-resistant authenticators aligned to digital identity assurance.
NIST CSF 2.0PR.AA-1Identity proofing and authentication guidance maps to controlled, user-friendly sign-in experiences.
OWASP Agentic AI Top 10Credential mediation affects how autonomous agents and browser flows request or reuse authentication.
NIST AI RMFAuthentication UX choices influence risk treatment and trustworthy system interaction.
NIST Zero Trust (SP 800-207)Zero trust requires strong, continuous authentication rather than convenience alone.

Treat conditional mediation as one step in continuous verification, not as a substitute for policy enforcement.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org