Windows ignoring attachment & setting transport incorrectly
211 views
Skip to first unread message
Tomás Silva
Mar 5, 2026, 2:59:05 AM
Mar 5
to FIDO Dev (fido-dev)
Hello everyone,
I'm facing a couple of issues while creating & using passkeys in Windows. I'm wondering if anyone has also encountered something similar and has any tips or insights I could use.
Issue 1 (attachment being ignored):
When sending the options to the authenticator I'm specifically setting the attachment as "platform" due to an internal requirement:
....
"timeout"
:
180000
,
"excludeCredentials"
:
[
]
,
"authenticatorSelection"
:
{
"authenticatorAttachment"
:
"platform"
,
"requireResidentKey"
:
true
,
"userVerification"
:
"required"
,
"residentKey"
:
null
}
,
"attestation"
:
"direct"
,
"extensions"
:
{
.....
Nonetheless, in Windows specifically, I'm getting a cross-platform behavior. It offers the option to create a passkey using a roaming authenticator. This does not happen in macOS systems.
Is this a known issue or expected behavior? Is there a known way to enforce the attachment sent?
Issue 2 (transport set incorrectly):
Another issue I'm facing, is the transport being returned after creating the passkey with a roaming authenticator. After creating the passkey, the publicKey returned has an "internal" transport, instead of a "hybrid" transport.Is it not the expected behavior to return the transport array with "hybrid" when using a roaming authenticator? I'm aware the mobile phone (i.e.) will send its transport as "internal", but shouldn't the paired browser push the "hybrid" transport when using a cross-platform authenticator?
Here is an extracted response from the authenticator creation with a roaming passkey:
{
...
"publicKeyCredentials" : { "id" : "3Kv-VKnJeAX9ORq4OR59ww" , "type" : "public-key" , "response" : { "clientDataJSON" : REDACTED , "attestationObject" : REDACTED ,
"transports" : [ "internal" ] } , ...
Thank you for your attention!
"publicKeyCredentials" : { "id" : "3Kv-VKnJeAX9ORq4OR59ww" , "type" : "public-key" , "response" : { "clientDataJSON" : REDACTED , "attestationObject" : REDACTED ,
"transports" : [ "internal" ] } , ...
Thank you for your attention!
Oracle X
Mar 13, 2026, 9:00:10 AM
Mar 13
to Tomás Silva, FIDO Dev (fido-dev)
Hey sorry for late reply
How can I help you out with this ?
Hello everyone,I'm facing a couple of issues while creating & using passkeys in Windows. I'm wondering if anyone has also encountered something similar and has any tips or insights I could use.Issue 1 (attachment being ignored):When sending the options to the authenticator I'm specifically setting the attachment as "platform" due to an internal requirement:....
"timeout" : 180000 , "excludeCredentials" : [ ] , "authenticatorSelection" : { "authenticatorAttachment" : "platform" , "requireResidentKey" : true , "userVerification" : "required" , "residentKey" : null } , "attestation" : "direct" , "extensions" <span style="color-scheme: unset; ruby-position: unset; writing-mode: unset; display: unset; font-family: unset; font-feature-settings: unset; font-kerning: unset; font-optical-sizing: unset; font-palette: unset; font-size: unset; font-size-adjust: unset; font-style: unset; font-synthesis-small-caps: unset; font-synthesis-style: unset; font-synthesis-weight: unset; font-variant-alternates: unset; font-variant-caps: unset; font-variant-east-asian: unset; font-variant-ligatures: unset; font-variant-numeric: unset; font-variant-position: unset; font-variation-settings: unset; font-width: unset; text-orientation: unset; text-rendering: unset; zoom: unset; letter-spacing: unset; text-autospace: unset; word-spacing: unset; background-image: unset; background-position: unset; background-size: unset; background-repeat: unset; background-attachment: unset; background-origin: unset; background-clip: unset; mask-clip: unset; mask-border: unset; accent-color: unset; place-content: unset; place-items: unset; place-self: unset; alignment-baseline: unset; anchor-name: unset; anchor-scope: unset; animation-composition: unset; animation: unset; appearance: unset; aspect-ratio: unset; backdrop-filter: unset; backface-visibility: unset; background-blend-mode: unset; baseline-shift: unset;
Tomás Silva
Mar 13, 2026, 9:24:00 AM
Mar 13
to FIDO Dev (fido-dev), Oracle X, FIDO Dev (fido-dev), Tomás Silva
Hey,
As a quick update, you can disregard "issue 2" as it was a wrong implementation on my end.
Regarding issue 1, the problem persists, is there any way to "force" windows to only offer "platform"-based authenticator registration methods?
I've messed around with client hints and attachment but Windows seems to always present all options, including "cross-platform" ones.
Thanks.
DAMILOLA OLANREWAJU
Mar 16, 2026, 5:51:21 AM
Mar 16
to Tomás Silva, FIDO Dev (fido-dev), Oracle X
Created passkeys can easily lost and mixed because of many way it comes developer way when developing because development is the way to go to make passkeys
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org .
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4eb46995-bca3-487b-b30f-372c2a9a286fn%40fidoalliance.org .
Reply all
Reply to author
Forward
Search
Clear search
Close search
Google apps
Main menu
