Skip to content

Deprecate Authenticator Attachment in favor of Hints #2383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
akshayku wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Deprecate Authenticator Attachment in favor of Hints #2383

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
91dad14
Deprecate Authenticator Attachment in favour of Hints
akshayku Jan 28, 2026
875b941
Remove line
akshayku Jan 28, 2026
414e682
Update index.bs
akshayku Jan 28, 2026
d624835
Update index.bs
akshayku Jan 28, 2026
68ef7ef
Add Note for Hybrid
akshayku Jan 28, 2026
f48957d
Add .vs to gitIgnore
akshayku Jan 28, 2026
9ac5c88
Removing Bikeshed Fix
akshayku Jan 28, 2026
c715b3f
Removing Bikeshed Fix - 2
akshayku Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/bikeshed/
.vagrant/
.vs/
index.html
12 changes: 8 additions & 4 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3703,7 +3703,9 @@ attributes.

<div dfn-type="dict-member" dfn-for="AuthenticatorSelectionCriteria">
: <dfn>authenticatorAttachment</dfn>
:: If this member is present, eligible [=authenticators=] are filtered to be only those authenticators attached with the specified
:: Note: This member is deprecated in favor of {{PublicKeyCredentialCreationOptions/hints}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialHint/client-device}} instead of {{AuthenticatorAttachment/platform}}, and {{PublicKeyCredentialHint/security-key}} and/or {{PublicKeyCredentialHint/hybrid}} instead of {{AuthenticatorAttachment/cross-platform}} for [=registration ceremony|registration=].
Copy link
Contributor

@MasterKale MasterKale Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hints support ordering by preference, a nuance that's not currently captured in this value-mapping guidance. I'd rather the nuance be thoroughly explained in the section on User-agent Hints Enumeration, but perhaps here we can simply mention it:

Suggested change
:: Note: This member is deprecated in favor of {{PublicKeyCredentialCreationOptions/hints}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialHint/client-device}} instead of {{AuthenticatorAttachment/platform}}, and {{PublicKeyCredentialHint/security-key}} and/or {{PublicKeyCredentialHint/hybrid}} instead of {{AuthenticatorAttachment/cross-platform}} for [=registration ceremony|registration=].
:: Note: This member is deprecated in favor of {{PublicKeyCredentialCreationOptions/hints}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialHint/client-device}} instead of {{AuthenticatorAttachment/platform}}, and {{PublicKeyCredentialHint/security-key}} and/or {{PublicKeyCredentialHint/hybrid}} (ordered by decreasing preference) instead of {{AuthenticatorAttachment/cross-platform}} for [=registration ceremony|registration=].


If this member is present, eligible [=authenticators=] are filtered to be only those authenticators attached with the specified
[[#enum-attachment|authenticator attachment modality]] (see also [[#sctn-authenticator-attachment-modality]]).
If this member is absent, then any attachment modality is acceptable.
The value SHOULD be a member of {{AuthenticatorAttachment}} but [=client platforms=] MUST ignore unknown values,
Expand Down Expand Up @@ -3732,6 +3734,8 @@ attributes.

### Authenticator Attachment Enumeration (enum <dfn enum>AuthenticatorAttachment</dfn>) ### {#enum-attachment}

Note: Authenticator Attachment is being deprecated in favor of {{PublicKeyCredentialHint}}. The {{AuthenticatorAttachment/platform}} value is superseded by {{PublicKeyCredentialHint/client-device}}, and {{AuthenticatorAttachment/cross-platform}} is superseded by {{PublicKeyCredentialHint/security-key}} and {{PublicKeyCredentialHint/hybrid}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialCreationOptions/hints}} instead of {{AuthenticatorSelectionCriteria/authenticatorAttachment}}.
Copy link
Contributor

@MasterKale MasterKale Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a similar note here: without mentioning the ability to order hints by preference, it'll look to RPs like they must specify cross-platform hints as ["security-key", "hybrid"] when it's totally valid to specify them as ["hybrid", "security-key"] if an RP's preferences deemed it more appropriate.


This enumeration's values describe [=authenticators=]' [=authenticator attachment modality|attachment modalities=].
[=[RPS]=] use this to express a preferred [=authenticator attachment modality=]
when calling {{CredentialsContainer/create()|navigator.credentials.create()}}
Expand Down Expand Up @@ -4458,17 +4462,17 @@ Note: The {{PublicKeyCredentialHint}} enumeration is deliberately not referenced
: <dfn>security-key</dfn>
:: Indicates that the [=[RP]=] believes that users will satisfy this request with a physical security key. For example, an enterprise [=[RP]=] may set this hint if they have issued security keys to their employees and will only accept those [=authenticators=] for [=registration ceremony|registration=] and [=authentication ceremony|authentication=].

For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}.
This hint supersedes the deprecated {{AuthenticatorAttachment/cross-platform}} value of {{AuthenticatorSelectionCriteria/authenticatorAttachment}}. For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}.

: <dfn>client-device</dfn>
:: Indicates that the [=[RP]=] believes that users will satisfy this request with a [=platform authenticator=] attached to the [=client device=].

For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/platform}}.
This hint supersedes the deprecated {{AuthenticatorAttachment/platform}} value of {{AuthenticatorSelectionCriteria/authenticatorAttachment}}. For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/platform}}.

: <dfn>hybrid</dfn>
:: Indicates that the [=[RP]=] believes that users will satisfy this request with general-purpose [=authenticators=] such as smartphones. For example, a consumer [=[RP]=] may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local [=platform authenticator=] should not be promoted in the UI.

For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}.
This hint supersedes the deprecated {{AuthenticatorAttachment/cross-platform}} value of {{AuthenticatorSelectionCriteria/authenticatorAttachment}}. For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}.

</div>

Expand Down