Platform vs roaming authenticators
Every demo so far let the browser pick whichever authenticator it wanted. One
option in authenticatorSelection — authenticatorAttachment
— restricts that choice to one of two categories: a platform
authenticator (Touch ID, Windows Hello, something built into this device) or a
cross-platform one (a USB/NFC/BLE security key, or a phone —
"roaming" because it isn't tied to the device you're registering from).
The browser's own UI changes based on this option — a platform-only request never shows a "use a security key" choice, and vice versa.
The options that make the distinction
const credential = (await navigator.credentials.create({
publicKey,
})) as PublicKeyCredential;
const response = credential.response as AuthenticatorAttestationResponse;
// The difference lives entirely in the options passed into the call above — try both buttons below and watch the Inspector report back whichever attachment and transport your authenticator actually used.