Firstyear

I ... mentioned that. sub is the primary key, and preferred username is for display.

Inversely, the opposite behaviour is also desirable where backupEligible: false would prevent the user from using a device that is backup eligible in cases where it's not required.

> However, maybe it might make sense to split this into two RFCs. This complex one for all the fluff, and another one for the straightforward authentication case. Like for...

@MasterKale ping, where would be the best place to start?

@MasterKale Awesome! Ping me once done, and I'll help out :)

@lgarron you can't mix discoverable and non discoverable credentials in most work flows. Additionally, most credentials have no way to inspect what discoverable (resident keys) exist and have no method...

> @lgarron It was a little ambiguous to me in the OP, to clarify your ask: you're simply proposing adding a new property `discoverableCredential` to [`AuthenticatorSelectionCriteria`](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-authenticatorselection) that is a alias...

@justnotherdev This was raised here https://github.com/w3c/webauthn/issues/1716 and the WG has chosen to ignore this use case from RP's.

Sadly there are no work arounds :( You can enforce it's only a security key in the registration by forcing attestation and consulting the aaguid with a list of known...

The issue here is that this process is wayyyyy too complex for most people to be able to manage. I couldn't imagine trying to communicate this to my brother who...