The initial SPC implementation had no UX when no credential IDs matched at authentication time what had been enrolled in the browser.

This has raised privacy issues (e.g., risk of timing attacks). One proposal discussed within Google is for the browser notify the user that the merchant will be trying some other authentication mechanism. I have the sense that people are not particularly excited about this from a user experience perspective.

The previous fallbackURL was removed (cf issue #57). I think the idea of the fallbackURL was to create a seamless UX in the case when no credentials matched. @stephenmcgruer remarked in that issue: "This was never implemented inside Chromium, and during the Q4 2020 pilot with Stripe we didn't find any need for it either. Instead, the caller can just handle the rejected promise from request.show() and utilize their own fallback mechanism."

I am raising this issue to see if there are other ideas that might improve upon the "notify the user" UX.