Platform vs roaming authenticators

Every demo so far let the browser pick whichever authenticator it wanted. One option in authenticatorSelectionauthenticatorAttachment — restricts that choice to one of two categories: a platform authenticator (Touch ID, Windows Hello, something built into this device) or a cross-platform one (a USB/NFC/BLE security key, or a phone — "roaming" because it isn't tied to the device you're registering from).

The browser's own UI changes based on this option — a platform-only request never shows a "use a security key" choice, and vice versa.

The options that make the distinction

const credential = (await navigator.credentials.create({
  publicKey,
})) as PublicKeyCredential;
const response = credential.response as AuthenticatorAttestationResponse;
// 

The difference lives entirely in the options passed into the call above — try both buttons below and watch the Inspector report back whichever attachment and transport your authenticator actually used.

Register with a platform authenticator

Register with a cross-platform (roaming) authenticator