Skip to content

Deprecate Authenticator Attachment in favor of Hints #2383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
akshayku wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Deprecate Authenticator Attachment in favor of Hints #2383

akshayku wants to merge 8 commits into from

Conversation

@akshayku
Copy link
Contributor

@akshayku akshayku commented Jan 28, 2026

Closes #2053

The following tasks have been completed:

  • Modified Web platform tests (link)

Implementation commitment:

Documentation and checks

  • Affects privacy
  • Affects security
  • Updated explainer (link)

akshayku
akshayku commented Jan 28, 2026
View reviewed changes
timcappalli
timcappalli reviewed Jan 28, 2026
View reviewed changes
timcappalli
timcappalli reviewed Jan 28, 2026
View reviewed changes
akshayku and others added 6 commits January 28, 2026 22:17
@akshayku @timcappalli
Update index.bs
414e682 
Co-authored-by: Tim Cappalli <tim@cloudauth.dev>
@akshayku @timcappalli
Update index.bs
d624835 
Co-authored-by: Tim Cappalli <tim@cloudauth.dev>
@akshayku
Add Note for Hybrid
68ef7ef
@akshayku
Add .vs to gitIgnore
f48957d
@akshayku
Removing Bikeshed Fix
9ac5c88
@akshayku
Removing Bikeshed Fix - 2
c715b3f
MasterKale
MasterKale reviewed Jan 28, 2026
View reviewed changes
index.bs
<div dfn-type="dict-member" dfn-for="AuthenticatorSelectionCriteria">
: <dfn>authenticatorAttachment</dfn>
:: If this member is present, eligible [=authenticators=] are filtered to be only those authenticators attached with the specified
:: Note: This member is deprecated in favor of {{PublicKeyCredentialCreationOptions/hints}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialHint/client-device}} instead of {{AuthenticatorAttachment/platform}}, and {{PublicKeyCredentialHint/security-key}} and/or {{PublicKeyCredentialHint/hybrid}} instead of {{AuthenticatorAttachment/cross-platform}} for [=registration ceremony|registration=].
Copy link
Contributor

@MasterKale MasterKale Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hints support ordering by preference, a nuance that's not currently captured in this value-mapping guidance. I'd rather the nuance be thoroughly explained in the section on User-agent Hints Enumeration, but perhaps here we can simply mention it:

Suggested change
:: Note: This member is deprecated in favor of {{PublicKeyCredentialCreationOptions/hints}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialHint/client-device}} instead of {{AuthenticatorAttachment/platform}}, and {{PublicKeyCredentialHint/security-key}} and/or {{PublicKeyCredentialHint/hybrid}} instead of {{AuthenticatorAttachment/cross-platform}} for [=registration ceremony|registration=].
:: Note: This member is deprecated in favor of {{PublicKeyCredentialCreationOptions/hints}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialHint/client-device}} instead of {{AuthenticatorAttachment/platform}}, and {{PublicKeyCredentialHint/security-key}} and/or {{PublicKeyCredentialHint/hybrid}} (ordered by decreasing preference) instead of {{AuthenticatorAttachment/cross-platform}} for [=registration ceremony|registration=].

index.bs

### Authenticator Attachment Enumeration (enum <dfn enum>AuthenticatorAttachment</dfn>) ### {#enum-attachment}

Note: Authenticator Attachment is being deprecated in favor of {{PublicKeyCredentialHint}}. The {{AuthenticatorAttachment/platform}} value is superseded by {{PublicKeyCredentialHint/client-device}}, and {{AuthenticatorAttachment/cross-platform}} is superseded by {{PublicKeyCredentialHint/security-key}} and {{PublicKeyCredentialHint/hybrid}}. [=[RPS]=] SHOULD use {{PublicKeyCredentialCreationOptions/hints}} instead of {{AuthenticatorSelectionCriteria/authenticatorAttachment}}.
Copy link
Contributor

@MasterKale MasterKale Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a similar note here: without mentioning the ability to order hints by preference, it'll look to RPs like they must specify cross-platform hints as ["security-key", "hybrid"] when it's totally valid to specify them as ["hybrid", "security-key"] if an RP's preferences deemed it more appropriate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MasterKale MasterKale MasterKale left review comments

@timcappalli timcappalli timcappalli left review comments

@ve7jtb ve7jtb Awaiting requested review from ve7jtb

@emlun emlun Awaiting requested review from emlun

@nsatragno nsatragno Awaiting requested review from nsatragno

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints.

3 participants

@akshayku @MasterKale @timcappalli