Unsolicited dialogs or alerts are often disruptive and hated by users. The Level 1 spec didn’t require and foresee that disruptive UI would be shown in response to makeCredential or getAssertion. Now that showing UI has become the trend, a user gesture restriction should be needed so that websites don’t have the ability to disrupt user’s browsing. The is a breaking change given it is not required at Level 1. However, in our survey, all websites* require user interactions to kick off WebAuthn ceremonies. Therefore, this change should have already aligned with most websites’ current user experience, though some internal changes may be require to carry the user gesture to the API call site.

* Dropbox, Microsoft, Google, and GitHub.