Is there an API or other method for determining if a credential exists on the device that doesn't require taking my fingerprint first in Android?
Currently, I can call getSignPendingIntent(PublicKeyCredentialRequestOptions) with a particular credential id and then I'll be prompted to use my fingerprint. After giving my fingerprint, I'll either get an error response returned if the credential does not exist on the device or get a success response if it does exist.
Is there another method to determine if a credential exists on the device?
One reason for needing to know this is if a customer has registered a credential on device A, but then visits the website on device B. If they are on device B, I don't want to prompt them for a fingerprint to know if they can use their WebAuthN credential. I want to check if the credential exists first and otherwise fall back to the standard authentication method.
There is no way to be 100% sure. Best possible solution as of today is storing the credential id in local storage (or a cookie) where it was created. That way, you can check if you should offer fingerprint login (aka. Platform Authenticator) option on that device, i.e., in that browser.
There's been some attempts in FIDO Alliance and W3C WebAuthn WG to change this, but so far it has not been done mainly due to privacy reasons.