See also:

• Provide an explicit way to opt out of multi-device syncing/backups #1714
• Should an RP be able to provide finer grained authenticator filtering in attestation options? #1688

I worry that the option to disable backup/sync for some credentials would confuse users, ultimately getting them locked out because they weren't aware that some credentials were not backed up. A "soft" preference (i.e., hints) would be less a problem in that way than a hard filter, but I'm not sure it's really much of a mitigation as any user messaging about it could easily be glossed over or skipped through.

This is not a explicit "hard" option.

This is a "soft" preference via hints as indicated in #2253 .

For the providers who are providing such a choice to the user, this is beneficial for the user to choose with more contexts. We have done mutiple user studies to design the experience with appropriate explanation to remove the confusion.

This is beneficial for the providers and users, while RP may still need to handles backed-up and device-bound credential even it sets device-bound credential as preferred one. In some sense, if the RP has a choice to accept backed-up or device-bound credential with this hint, this will make user's friction depending on the RPs.

Update (2/19): We are gathering more information from the enterprises and it is going to take some time. We will come back with more information or an updated proposal once we have more information. Please keep this issue/PRs open for L4 till we figure out the direction for Enterprises on unmanaged devices.