Authenticator Attachment in Public Key Credential

[z11h]

In order for a site to know whether a local platform authenticator was used, or whether the user used another device and thus might want to register a local platform authenticator, this is a proposal that an authenticator attachment field be added to the public key credential response on both registration success & authentication success.

Thus, if the proposed authenticator attachment field of the attestation/assertion is “cross-platform”, and isUVPAA (i.e a user-verifying platform authenticator is available [1]) returns true, then sites should have the ability to offer to the user to register the current device's platform authenticator.

(In order to avoid superfluously re-registering devices if the user happened to use a phone or security key to sign in, even though the platform authenticator is already registered, the site may wish to track the registration status of the platform authenticator in local state. If the authenticator attachment was “internal” then the local state should be set to reflect that.)

Reference: #1637
[1] https://w3c.github.io/webauthn/#user-verifying-platform-authenticator