Firstyear

> With platforms introducing support for cross-device credentials, don't we also need/want a mechanism to allow signalling to the platform, on credential creation, that a hardware-backed key is desired? @eldanb...

> With platforms introducing support for cross-device credentials, don't we also need/want a mechanism to allow signalling to the platform, on credential creation, that a hardware-backed key is desired? >...

Here is a collection of use cases I submitted, as an RP that might help communicate what is desired as an RP, and might help you to design something appropriate....

> Perhaps refine this to "hint to the client to guide UX during the registration ceremony, that non-device-bound keys would ultimately be rejected by the relying party"? Any hint we...

> Wouldn't DPK support (PR#1663) be sufficient? Essentially not preventing the multi-device key, but ensuring an additional single-device key being established _per device_. DPK is only known *after* the authentication...

> The case _without_ DPK is not as good, as the RP couldn't distinguish first-time use of the credential on a device from subsequent credential usage on a device -...

> While I generally agree that this results in a poor user experience, this is not new and existed prior to multi-device credentials. That isn't a valid excuse or reason...

> > If multi-device credentials (more specifically those backed up to a user's platform-provider cloud account) are not able to be excluded by RP policy during credential creation, the spec...

> > But, how can we distinguish that the credential is coming from the platform authenticator or from the roaming authenticator > > The `authenticatorAttachment` value in the [resulting object](https://w3c.github.io/webauthn/#iface-pkcredential)...

All good, so long as it's just for UX flow, that's fine to use the authenticatorAttachement there.