Passkey ≠ platform attachment #4552
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Dear Ory friends: This is a trivial correction but I know it may cause animated discussion. Currently the Passkey driver configuration harcodes authenticatorAttachment: "platform" but that is incorrect. A Passkey can be device-bound to a security key, in fact, arguably this is more secure and certainly better for the security paranoid among us. I would argue that this line should be removed, the UI would not change for the majority of users except that now there will be a "More Options" available when the user starts the creation of their Passkey and they would be able to select a security key should they prefer that option.
I know this is even a language problem at WebAuthn level that I'll try to raise there. Because that authenticatorAttachment does not really mean much since synched passkeys were introduced. You can start in your phone and select platform, but then you can authenticate with that passkey in another device because it was syncronized by the OS, and the relying party probably wanted exactly the opposite, passkeys that don't synch.
Does that make sense for you?
Reproducing the bug
Configure Kratos to use passkeys, try to enroll one, you will be presented only with the option to use the current device to store your passkey, you are not given the option to use an external security key
Relevant log output
Relevant configuration
Version
26.2
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Docker Compose
Additional Context
No response