Allow immediate mediation

[deephand]

Proposed Change

I added an explainer in the wiki that suggests to return a NotFoundError when there are no locally available credentials and otherwise show the modal UI. This should allow RPs to go formless and skip the hybrid flow, which is time consuming and not always applicable.

I would like to hear your opinions about it, thanks in advance!

[kopy]

In B2B, workspace, and smaller deployments, this functionality can be helpful.

For larger consumer deployments with a lot of existing accounts (1 million+), removing the familiar username field (email/phone) and only showing a sign-in button at first would be confusing for users. This is also why many large-scale websites haven’t elevated a “Use Passkey” button yet to the same level as the username field. Instead, they attempt to start a passkey ceremony automatically after the username is entered, even if it comes with complications like user enumeration and false positives (e.g., QR codes). In those cases, conditional mediation still works well because the user has not yet entered their username, but with this approach it would not work due to the AllowList limitation.