Re: [webauthn] Platform authentication registration promotion when the user has authenticated with the external authenticator (#1759)

> > But, how can we distinguish that the credential is coming from the platform authenticator or from the roaming authenticator
> The `authenticatorAttachment` value in the [resulting object]( will tell you if the device used to generate the assertion was `platform` or `cross-platform`.

This value is un-signed and can't be trusted to be valid or correct. Just the same as the resident key status, it can be freely altered by client side tooling and js. 

@Kieun As an RP the only thing you can trust is signed, attested properties. To determine the attachment you need to look at the CA used in attestation, and then subsequently the device AAGuid to understand what the attachment was during a ceremony. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 30 June 2022 00:16:24 UTC