A Discoverable/resident key is a data structure that can be stored by the client platform to be used in a Authenticator selection process during authentication. If supported by the client platform, it is possible for the client platform to display a list of options for available Authenticators the user wishes to use from the locally available registered Authenticators. Note that this client platform UI is not a required feature to enable the use of multiple Authenticators for one account. Allowed values:
- required: residentKey must be created. This means the Authenticator must return a resident key. This might not be a possibility for roaming Authenticators; only allowing this option might result in rejected roaming Authenticators. This will greatly reduce the number of possible Authenticators that can be used with this SKFS.
- preferred: Create a residentKey if possible; otherwise don't. This will require any Authenticator that can generate a resident key to do so, while not outright rejecting Authenticators that don’t support resident keys.
- discouraged: Don't create a residentKey. This means that even Authenticators that support resident keys will not generate a resident key during registration. This means that there will not be any client-stored FIDO key data but, consequently, no possible client platform UI for Authenticator selection. Note that this client platform UI is not a required feature to enable multiple Authenticators for one account.