Consider setting "platform" as authenticator attachment to support local 2fa devices such as fingerprint scanners

[svenvandescheur]

Currently: TWO_FACTOR_WEBAUTHN_AUTHENTICATOR_ATTACHMENT = "cross-platorm" is set to enforce the use of a different physical device as second factor provider. Changing this to "platform" allows the same physical device te negotiate the second factor, e.g. using a built-in finger print scanner.

On support Mac's this allows the touchid scanner to be used for multi-factor authentication which may improve the user experience when dealing with such authentication steps, other platforms may or may not have similar setups and the (fallback) behavior should be tested if the value is changed.

Pros:

• Allows easier use of 2fa using tools such as finger print scanners.
• May possibly reduce the risk of a losing acces to a device proving a second factor.

Cons:

• The amount of "2fa-ness" is left over to the implementation of the platform used by the user.
• May possibly be (a little) less secure than "cross-platform" as setting.

Before making any decision I think we should understand the devices the users are working on (do they even provide platform based 2fa tools)? Is there any policy restricting this choice?