We should disable resident credentials entirely until properly and fully supported in Chrome, both for privacy and usability concerns.
Chrome lacks an account chooser for selecting which credential should be returned if an empty allow list is passed to getAssertion(). The current behavior for empty lists when credentials for that RP exist is to return a single credential, basically at random. We should disable this.
MakeCredential requests with rk=true should also be disabled. Since we aren't supporting assertions with resident credentials, we shouldn't allow for their creation, either.
Comment 1 by agl@chromium.org
, Oct 18