I have been experimenting a little with recent Chrome and Safari support for caBLE as an authenticator transport. There are plenty of interesting edge cases and observations, but one that concerns me quite a bit is the different behaviours by each vendor under which it is offered as an option during credential registration, and some broken use cases.
For example, I understand that Chrome does not offer caBLE if a resident key (discoverable credential) is requested in options, with the assumption this is because Android doesn't support RK yet. Understandable.
Safari on the other hand does, and even says in the UI "iPhone, iPad, or Android device", even though currently an Android device will not support RK. Completing this flow using an Android device is successful though, and a credential is created. Is the requireResidentKey option not transmitted from Safari to the Android authenticator when using the caBLE transport?!
Next weird observation is what happens when authenticatorAttachment is provided in options. If it's not provided, both Safari and Chrome offer caBLE as a transport.
When it is specified, the two browsers behave completely opposite to one another. Safari only offers caBLE if "platform" is specified, and Chrome only if "cross-platform" is specified. This divergence is discouraging. I'm not sure if the CTAP spec provides any guidance at this level of detail, but I really think it needs to if we plan to head toward open compatibility with caBLE as a transport and not just have Safari-requires-iOS-devices, and Chrome-requires-Android-devices.
I realise this is somewhat bleeding edge, but I feel there is too much bleeding differences, and not enough consistency even at this early stage of delivery.