Just tried on multi-device scenario with android and my mac and that worked fine. I'm wondering though, how the biometric data gets associated with my email address.
From what I remember, your biometric data shouldn't get associated at all. Your hardware uses your biometrics to unlock the onboard enclave / vault and then the process asking can obtain or create what it needs once unlocked. If you don't have biometrics enabled it would resort to your phone password/pin.
I think you are correct, I took a shortcut there ; my question is more "I used email A to sign in, and used my android creds (incidentally my fingerprint) - which is using my Gmail account B. Now I want to use my apple creds C to signin on my Mac.
What links are created between all these accounts? Does Google now know that their account B is linked to email A? Does Hankio? Or is that the service provider?
The use-case is to create a new key pair when you register an "authenticator" device, and then sign a challenge later to authenticate (prove it is the existing known authenticator).
It is up to the site to decide if it wants to accept that authenticator, e.g. if it meets the necessary security requirements. For most sites, they'll accept anything based on user preference.
The site only ever knows the 'kind' of authenticator though (possibly through a cryptographic attestation). The authentication process only releases/uses the public key, not any supplemental information. The site would never see any PIN or biometric information that was gathered locally to release the use of the key.
The site (usually) can't even tell whether it was a PIN or biometric used - just that that 'kind' of authenticator has a particular behavior and particular security reputation/policy/certifications.
Just tried on multi-device scenario with android and my mac and that worked fine. I'm wondering though, how the biometric data gets associated with my email address.