Provide a way for an RP to indicate backup preference during credential registration for providers who support both backed-up and non-backed up credential

[akshayku]

Description

Passkey Providers/Authenticators now support backed-up and non-backup credentials. It varies from one provider to the other the choices they provide.

For an RP, currently they have no way to express their preference regarding backed credentials. For example, some enterprises and high security consumer RPs may want a non-backed up credential. Other RPs can prefer backed-up credential for their use cases regarding availability everywhere w.r.t current and future devices.

For the providers who support both backed-up and non-backed-up credential, RP's preference helps guide the user.

Hence, we need a way for an RP to indicate their backup preference in WebAuthn spec.

Note: Given the nature of different options provided by the providers/authenticators, their capabilities, user choices etc., RP must expect both backed-up and non-backed-up credentials in the registration responses.

[emlun]

See also:

• Provide an explicit way to opt out of multi-device syncing/backups #1714
• Should an RP be able to provide finer grained authenticator filtering in attestation options? #1688

I worry that the option to disable backup/sync for some credentials would confuse users, ultimately getting them locked out because they weren't aware that some credentials were not backed up. A "soft" preference (i.e., hints) would be less a problem in that way than a hard filter, but I'm not sure it's really much of a mitigation as any user messaging about it could easily be glossed over or skipped through.

[akshayku]

This is not a explicit "hard" option.

This is a "soft" preference via hints as indicated in #2253 .

For the providers who are providing such a choice to the user, this is beneficial for the user to choose with more contexts. We have done mutiple user studies to design the experience with appropriate explanation to remove the confusion.

[Kieun]

This is beneficial for the providers and users, while RP may still need to handles backed-up and device-bound credential even it sets device-bound credential as preferred one. In some sense, if the RP has a choice to accept backed-up or device-bound credential with this hint, this will make user's friction depending on the RPs.

[akshayku]

Update (2/19): We are gathering more information from the enterprises and it is going to take some time. We will come back with more information or an updated proposal once we have more information. Please keep this issue/PRs open for L4 till we figure out the direction for Enterprises on unmanaged devices.