w3c · nsatragno · Oct 7, 2021 · Sep 8, 2021 · Sep 20, 2021 · Sep 21, 2021
diff --git a/index.bs b/index.bs
@@ -1370,6 +1370,7 @@ that are returned to the caller when a new credential is created, or a new asser
     interface PublicKeyCredential : Credential {
         [SameObject] readonly attribute ArrayBuffer              rawId;
         [SameObject] readonly attribute AuthenticatorResponse    response;
+        [SameObject] readonly attribute DOMString?               authenticatorAttachment;
         AuthenticationExtensionsClientOutputs getClientExtensionResults();
     };
 </xmp>
@@ -1388,6 +1389,15 @@ that are returned to the caller when a new credential is created, or a new asser
         {{CredentialsContainer/create()}}, this attribute's value will be an {{AuthenticatorAttestationResponse}}, otherwise,
         the {{PublicKeyCredential}} was created in response to {{CredentialsContainer/get()}}, and this attribute's value
         will be an {{AuthenticatorAssertionResponse}}.
+
+    :   <dfn>authenticatorAttachment</dfn>
+    ::  This attribute reports the [=authenticator attachment modality=] in effect at the time the
+        {{CredentialsContainer/create()|navigator.credentials.create()}} or
+        {{CredentialsContainer/get()|navigator.credentials.get()}} methods successfully complete.
+        The attribute’s value SHOULD be a member of {{AuthenticatorAttachment}}. [=[RPS]=] SHOULD treat unknown values
+        as if the value were null.
+
+        Note: If, as the result of a [=registration ceremony|registration=] or [=authentication ceremony=], {{PublicKeyCredential/authenticatorAttachment}}'s value is "cross-platform" and concurrently {{isUserVerifyingPlatformAuthenticatorAvailable}} returns [TRUE], then the user employed a [=roaming authenticator=] for this [=ceremony=] while there is an available [=platform authenticator=]. Thus the [=[RP]=] has the opportunity to prompt the user to register the available [=platform authenticator=], which may enable more streamlined user experience flows.
 
     :   {{PublicKeyCredential/getClientExtensionResults()}}
     ::  This operation returns the value of {{PublicKeyCredential/[[clientExtensionsResults]]}}, which is a [=map=] containing
@@ -1857,6 +1867,9 @@ a numbered step. If outdented, it (today) is rendered either as a bullet in the
                     :   {{PublicKeyCredential/[[identifier]]}}
                     ::  |id|
 
+                    :   {{PublicKeyCredential/authenticatorAttachment}}
+                    ::  A {{DOMString}} whose value SHOULD be a member of {{AuthenticatorAttachment}}, based on the [[#enum-transport|transport]] used by the [=authenticator=] during the [=registration ceremony=], as determined per [[#sctn-attachments-from-transports]].
+
                     :   {{PublicKeyCredential/response}}
                     ::  A new {{AuthenticatorAttestationResponse}} object associated with |global| whose fields are:
 
@@ -2223,10 +2236,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
                 1.  Let |pubKeyCred| be a new {{PublicKeyCredential}} object associated with |global| whose fields are:
 
                     :   {{PublicKeyCredential/[[identifier]]}}
-
                     ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                         <code>|assertionCreationData|.[=credentialIdResult=]</code>.
 
+                    :   {{PublicKeyCredential/authenticatorAttachment}}
+                    ::  A {{DOMString}} whose value SHOULD be a member of {{AuthenticatorAttachment}}, based on the [[#enum-transport|transport]] used by the [=authenticator=] during the [=authentication ceremony=], as determined per [[#sctn-attachments-from-transports]].
+
                     :   {{PublicKeyCredential/response}}
                     ::  A new {{AuthenticatorAssertionResponse}} object associated with |global| whose fields are:
 
@@ -2330,6 +2345,25 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic
 
 </div>
 
+### Determining Authenticator Attachment from Authenticator Transports ### {#sctn-attachments-from-transports}
+
+When creating a {{PublicKeyCredential}} object, as the result of a [=registration ceremony|registration=] or [=authentication ceremony=], the [=client platform=] determines the [=authenticator attachment modality=] and reports it in {{PublicKeyCredential/authenticatorAttachment}}. This section defines how the [=client platform=] makes that determination.
+
+If the client platform
+<dl class="switch">
+    : cannot determine the {{transports}} used or the transport is not a member of {{AuthenticatorTransport}}, then
+    :: the [=authenticator attachment modality=] is unknown, and the value of {{PublicKeyCredential/authenticatorAttachment}} MUST be set to null.
+
+    : used an {{AuthenticatorTransport/internal}} transport, then
+    :: {{PublicKeyCredential/authenticatorAttachment}} MUST be set to "platform".
+
+    : used a {{transports|transport}} that is a member of {{transports}} other than {{AuthenticatorTransport/internal}},
+    :: {{PublicKeyCredential/authenticatorAttachment}} MUST be set to "cross-platform".
+
+Note: An [=authenticator's=] [=authenticator attachment modality|attachment modality=] could change over time.
+For example, a mobile phone might at one time only support [=platform attachment=]
+but later receive updates to support [=cross-platform attachment=] as well.
+
 ## Authenticator Responses (interface <dfn interface>AuthenticatorResponse</dfn>) ## {#iface-authenticatorresponse}
 
 [=Authenticators=] respond to [=[RP]=] requests by returning an object derived from the