Windows ignoring attachment & setting transport incorrectly

[Tomás Silva]

Hello everyone,

I'm facing a couple of issues while creating & using passkeys in Windows. I'm wondering if anyone has also encountered something similar and has any tips or insights I could use.

Issue 1 (attachment being ignored):

When sending the options to the authenticator I'm specifically setting the attachment as "platform" due to an internal requirement:

....

"timeout": 180000,"excludeCredentials": [],"authenticatorSelection": {       "authenticatorAttachment": "platform",       "requireResidentKey": true,       "userVerification": "required",       "residentKey": null},"attestation": "direct","extensions": {.....

Nonetheless, in Windows specifically, I'm getting a cross-platform behavior. It offers the option to create a passkey using a roaming authenticator. This does not happen in macOS systems.

Is this a known issue or expected behavior? Is there a known way to enforce the attachment sent?

Issue 2 (transport set incorrectly):

Another issue I'm facing, is the transport being returned after creating the passkey with a roaming authenticator. After creating the passkey, the publicKey returned has an "internal" transport, instead of a "hybrid" transport.

Is it not the expected behavior to return the transport array with "hybrid" when using a roaming authenticator? I'm aware the mobile phone (i.e.) will send its transport as "internal", but shouldn't the paired browser push the "hybrid" transport when using a cross-platform authenticator?

Here is an extracted response from the authenticator creation with a roaming passkey:

{ ...
    "publicKeyCredentials": {         "id": "3Kv-VKnJeAX9ORq4OR59ww",         "type": "public-key",         "response": {             "clientDataJSON": REDACTED,             "attestationObject": REDACTED,
            "transports": [                 "internal"             ]         }, ...

Thank you for your attention!