diff --git a/spec/index.bs b/spec/index.bs
index ed519c2d..4f8e91ac 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -820,6 +820,11 @@ the exception thrown.
     1. Let |config| be the result of running [=fetch the config file=] with
         |provider| and |globalObject|.
     1. If |config| is failure, return (failure, false).
+    1. If |options|.{{IdentityCredentialRequestOptions/mode}} is "active",
+        then let |modeSettings| be 
+        |config|.{{IdentityProviderAPIConfig/modes}}.{{IdentityProviderModes/active}};
+        otherwise, 
+        |config|.{{IdentityProviderAPIConfig/modes}}.{{IdentityProviderModes/passive}}.
     1. <dfn>Fetch accounts step</dfn>: Let |accountsList| be the result of
         [=fetch the accounts=] with |config|, |provider|, and |globalObject|.
     1. If |accountsList| is failure, or the size of |accountsList| is 0:
@@ -899,22 +904,28 @@ the exception thrown.
     1. Otherwise, if |accountsList|'s size is 1:
         1. Set |account| to |accountsList|[0].
         1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns
-            [=compute the connection status/connected=], show a dialog to request user permission to sign
-            in via |account|, and set the result in |permission|. The user agent MAY use |options|'s
-            {{IdentityCredentialRequestOptions/context}} and |options|'s
-            {{IdentityCredentialRequestOptions/mode}} to customize the dialog.
+            [=compute the connection status/connected=]:
+            1. Show a dialog to request user permission to sign in via |account|, and set the result
+                in |permission|. The user agent MAY use |options|'s
+                {{IdentityCredentialRequestOptions/context}} and |options|'s
+                {{IdentityCredentialRequestOptions/mode}} to customize the dialog.
+            1. If |modeSettings|.{{IdentityProviderModeSettings/supports_use_other_account}} is true,
+                that dialog MUST provide an affordance to use another account. If that
+                affordance is triggered:
+                1. [=Show an IDP login dialog=] with |config|, |provider|, and |globalObject|.
+                1. If that returned success, go back to the [=fetch accounts step=].
         1. Otherwise, let |permission| be the result of running [=request permission to sign-up=]
-            algorithm with |account|, |config|, |provider|, and |globalObject|. Also set
-            |disclosureTextShown| to true.
+            algorithm with |account|, |modeSettings|, |config|, |provider|, and
+            |globalObject|. Also set |disclosureTextShown| to true.
     1. Otherwise:
-        1. Set |account| to the result of running the [=select an account=] from the
-            |accountsList|.
+        1. Set |account| to the result of running [=select an account=] with
+            |accountsList|, |modeSettings|, |config|, |provider|, and |globalObject|.
         1. If |account| is failure, return (failure, true).
-        1. If [=compute the connection status=] of |account|, |provider| and |globalObject| is
-            [=compute the connection status/connected=], set |permission| to true.
+        1. If [=compute the connection status=] of |account|, |provider|, and |globalObject|
+            is [=compute the connection status/connected=], set |permission| to true.
         1. Otherwise:
             1. Let |permission| be the result of running the [=request permission to sign-up=]
-                algorithm with |account|, |config|, |provider|, and |globalObject|.
+                algorithm with |account|, |modeSettings|, |config|, |provider|, and |globalObject|.
             1. Set |disclosureTextShown| to true.
     1. Wait until the [=user agent=]'s dialogs requesting for user choice or permission to be
         closed, if any are created in the previous steps.
@@ -1070,6 +1081,15 @@ dictionary IdentityProviderBranding {
   USVString name;
 };
 
+dictionary IdentityProviderModeSettings {
+  boolean supports_use_other_account;
+};
+
+dictionary IdentityProviderModes {
+  IdentityProviderModeSettings active;
+  IdentityProviderModeSettings passive;
+};
+
 dictionary IdentityProviderAPIConfig {
   required USVString accounts_endpoint;
   required USVString client_metadata_endpoint;
@@ -1077,6 +1097,7 @@ dictionary IdentityProviderAPIConfig {
   required USVString login_url;
   USVString disconnect_endpoint;
   IdentityProviderBranding branding;
+  IdentityProviderModes modes;
 };
 </xmp>
 
@@ -1306,10 +1327,17 @@ dictionary IdentityAssertionResponse {
 <!-- ============================================================ -->
 
 <div algorithm>
-To <dfn>select an account</dfn> given an |accountsList|, run the following steps. This returns an
-{{IdentityProviderAccount}} or failure.
+To <dfn>select an account</dfn> given an |accountsList|, some {{IdentityProviderModeSettings}}
+|modeSettings|, an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderConfig}} |provider|,
+and a |globalObject|, run the following steps. This returns an {{IdentityProviderAccount}} or
+failure.
     1. Assert |accountsList|'s [=list/size=] is greater than 1.
     1. Display an account chooser displaying the options from |accountsList|.
+    1. If |modeSettings|.{{IdentityProviderModeSettings/supports_use_other_account}} is true,
+        the account chooser MUST provide an affordance to use another account. If that
+        affordance is triggered:
+        1. [=Show an IDP login dialog=] with |config|, |provider| and |globalObject|.
+        1. If that returned success, go back to the [=fetch accounts step=].
     1. Let |account| be the {{IdentityProviderAccount}} of the account that the user
         manually selects from the accounts chooser, or failure if no account is selected.
     1. Return |account|.
@@ -1320,9 +1348,10 @@ waits for the user to grant permission to use the given account, and returns whe
 granted permission or not.
 
 <div algorithm>
-To <dfn>request permission to sign-up</dfn> the user with a given an {{IdentityProviderAccount}} |account|,
-an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} |provider|, and a
-|globalObject|, run the following steps. This returns a boolean.
+To <dfn>request permission to sign-up</dfn> the user with a given an {{IdentityProviderAccount}}
+|account|, some {{IdentityProviderModeSettings}} |modeSettings|, an {{IdentityProviderAPIConfig}}
+|config|, an {{IdentityProviderRequestOptions}} |provider|, and a |globalObject|, run the following
+steps. This returns a boolean.
     1. Assert: These steps are running [=in parallel=].
     1. Let |metadata| be the result of running [=fetch the client metadata=] with |config|,
         |provider|, and |globalObject|.
@@ -1339,6 +1368,12 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
         1. The user agent MAY use the
             {{IdentityCredentialRequestOptions/context}} and |options|'s
             {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown.
+        1. If |modeSettings|.{{IdentityProviderModeSettings/supports_use_other_account}} is true,
+            the account chooser MUST provide an affordance to use another account unless such an
+            affordance was provided in a previous step (e.g., if [=select an account=] was
+            invoked). If that affordance is triggered:
+            1. [=Show an IDP login dialog=] with |config|, |provider|, and |globalObject|.
+            1. If that returned success, go back to the [=fetch accounts step=].
     1. If the user does not grant permission, return false.
     1. Return true.
 </div>