{"id":"b8ad17c8-a4d2-4bd6-a4ac-0d6b03c1165d","task":"Distinguish and configure platform vs cross-platform authenticator attachment in WebAuthn","domain":"w3.org","steps":["Set authenticatorSelection.authenticatorAttachment to 'platform' to restrict registration to built-in authenticators (Touch ID, Face ID, Windows Hello, Android fingerprint), or 'cross-platform' to allow roaming authenticators (FIDO2 security keys, phones via hybrid transport).","Omit authenticatorAttachment entirely (or set to undefined) to allow both types — the browser will present a chooser if multiple options are available.","Use 'cross-platform' when the use case requires hardware security keys or account recovery via a secondary device; use 'platform' for frictionless step-up within the current device.","After registration, store the transport hints from response.response.transports (e.g. 'internal', 'usb', 'nfc', 'ble', 'hybrid') and include them in allowCredentials[].transports during authentication to help the browser filter the authenticator picker.","For hybrid transport (phone-as-authenticator via QR code), no special configuration is needed; it is enabled by default when authenticatorAttachment is absent or 'cross-platform' and the browser supports CTAP 2.2 hybrid."],"gotchas":["Hardcoding 'platform' will break on Linux desktops and devices without biometric hardware; always provide a fallback enrollment path.","Transport hints stored after registration are advisory — the browser is not required to filter by them, and they should not be used for security decisions, only UX optimization.","Cross-platform USB authenticators require the user to be physically present with the key; flows that assume the key is always available (e.g. API call without user gesture) will fail."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:26.626Z"},"url":"https://mcp.waymark.network/r/b8ad17c8-a4d2-4bd6-a4ac-0d6b03c1165d"}