Add authenticator attachment used during authentication to assertion payload

index.bs

@@ -1370,6 +1370,7 @@ that are returned to the caller when a new credential is created, or a new asser
     interface PublicKeyCredential : Credential {
         [SameObject] readonly attribute ArrayBuffer              rawId;
         [SameObject] readonly attribute AuthenticatorResponse    response;
+        [SameObject] readonly attribute DOMString?               authenticatorAttachment;
         AuthenticationExtensionsClientOutputs getClientExtensionResults();
     };
 </xmp>
@@ -1388,6 +1389,12 @@ that are returned to the caller when a new credential is created, or a new asser
         {{CredentialsContainer/create()}}, this attribute's value will be an {{AuthenticatorAttestationResponse}}, otherwise,
         the {{PublicKeyCredential}} was created in response to {{CredentialsContainer/get()}}, and this attribute's value
         will be an {{AuthenticatorAssertionResponse}}.
+
+    :   <dfn>authenticatorAttachment</dfn>
+    ::  This attribute reports the [=authenticator attachment modality=] in effect at the time this {{PublicKeyCredential}} was created.
+        The attribute’s value SHOULD be a member of {{AuthenticatorAttachment}}. [=[RPS]=] SHOULD treat unknown values as if the value were null.
+
+        Note: If, as the result of a [=registration ceremony|registration=] or [=authentication ceremony=], {{PublicKeyCredential/authenticatorAttachment}}'s value is "cross-platform" and concurrently {{isUserVerifyingPlatformAuthenticatorAvailable}} returns [TRUE], then the user employed a [=roaming authenticator=] for this [=ceremony=] while there is an available [=platform authenticator=]. Thus the [=[RP]=] has the opportunity to prompt the user to register the available [=platform authenticator=], which may enable more streamlined user experience flows.
 
     :   {{PublicKeyCredential/getClientExtensionResults()}}
     ::  This operation returns the value of {{PublicKeyCredential/[[clientExtensionsResults]]}}, which is a [=map=] containing
@@ -1857,6 +1864,9 @@ a numbered step. If outdented, it (today) is rendered either as a bullet in the
                     :   {{PublicKeyCredential/[[identifier]]}}
                     ::  |id|
 
+                    :   {{PublicKeyCredential/authenticatorAttachment}}
+                    ::  A {{DOMString}} whose value SHOULD be a member of {{AuthenticatorAttachment}}, based on the [[#enum-transport|transport]] used by the [=authenticator=] during the [=registration ceremony=], as determined per [[#sctn-attachments-from-transports]].
+
                     :   {{PublicKeyCredential/response}}
                     ::  A new {{AuthenticatorAttestationResponse}} object associated with |global| whose fields are:
 
@@ -2223,10 +2233,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
                 1.  Let |pubKeyCred| be a new {{PublicKeyCredential}} object associated with |global| whose fields are:
 
                     :   {{PublicKeyCredential/[[identifier]]}}
-
                     ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                         <code>|assertionCreationData|.[=credentialIdResult=]</code>.
 
+                    :   {{PublicKeyCredential/authenticatorAttachment}}
+                    ::  A {{DOMString}} whose value SHOULD be a member of {{AuthenticatorAttachment}}, based on the [[#enum-transport|transport]] used by the [=authenticator=] during the [=authentication ceremony=], as determined per [[#sctn-attachments-from-transports]].
+
                     :   {{PublicKeyCredential/response}}
                     ::  A new {{AuthenticatorAssertionResponse}} object associated with |global| whose fields are: