The property authenticatorSelection and its children authenticatorAttachment can determine a preference for a particular authenticator. If selected cross-platform, then the webauthn authentication catalog will only show support for roaming authenticators (e.g., Yubikey). At the same time, if selected platform, it will request only biometrics-supported authentication. By default (i.e., if the property is missing), no preference is given and thus, both options can be selected.

There are a couple of edge-cases where a platform authenticator can be toggled on and off (e.g., a keyboard with a fingerprint reader with FIDO2 support) and platform is preferred. If the only authenticator is this device, then the workflow will continue w/o even prompting signature using the previously loaded key before the authenticator was disconnected.