diff --git a/src/encryptid/index.ts b/src/encryptid/index.ts
index 923760c..ed74d9e 100644
--- a/src/encryptid/index.ts
+++ b/src/encryptid/index.ts
@@ -108,7 +108,7 @@ import { getRecoveryManager } from './recovery';
  */
 export async function isEncryptIDAvailable(): Promise<boolean> {
   const caps = await detectCapabilities();
-  return caps.webauthn && caps.platformAuthenticator;
+  return caps.webauthn;
 }
 
 /**
diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index a8ec91e..0f58454 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -565,10 +565,11 @@ app.post('/api/register/start', async (c) => {
       { alg: -257, type: 'public-key' }, // RS256
     ],
     authenticatorSelection: {
-      authenticatorAttachment: 'platform',
       residentKey: 'required',
       requireResidentKey: true,
       userVerification: 'required',
+      // Don't force 'platform' — let the browser offer cross-platform
+      // authenticators (security keys, phone) on devices without platform auth
     },
     timeout: 60000,
     attestation: 'none',
@@ -1773,7 +1774,6 @@ app.post('/api/account/device/start', async (c) => {
       { alg: -257, type: 'public-key' },
     ],
     authenticatorSelection: {
-      authenticatorAttachment: 'platform',
       residentKey: 'required',
       requireResidentKey: true,
       userVerification: 'required',
@@ -2902,7 +2902,7 @@ app.get('/guardian', (c) => {
             { alg: -7, type: 'public-key' },
             { alg: -257, type: 'public-key' },
           ],
-          authenticatorSelection: { authenticatorAttachment: 'platform', residentKey: 'required', requireResidentKey: true, userVerification: 'required' },
+          authenticatorSelection: { residentKey: 'required', requireResidentKey: true, userVerification: 'required' },
           attestation: 'none',
           timeout: 60000,
         },
@@ -7727,7 +7727,7 @@ app.get('/', (c) => {
               { alg: -7, type: 'public-key' },
               { alg: -257, type: 'public-key' },
             ],
-            authenticatorSelection: { authenticatorAttachment: 'platform', residentKey: 'required', requireResidentKey: true, userVerification: 'required' },
+            authenticatorSelection: { residentKey: 'required', requireResidentKey: true, userVerification: 'required' },
             attestation: 'none',
             timeout: 60000,
             extensions: { credProps: true, ...prfExtension },
diff --git a/src/encryptid/webauthn.ts b/src/encryptid/webauthn.ts
index ab5c5c7..4ecaa90 100644
--- a/src/encryptid/webauthn.ts
+++ b/src/encryptid/webauthn.ts
@@ -178,8 +178,9 @@ export async function registerPasskey(
         // Require user verification (biometric/PIN)
         userVerification: cfg.userVerification,
 
-        // Force platform authenticator (Windows Hello, Touch ID, etc.)
-        authenticatorAttachment: 'platform',
+        // Prefer platform authenticator, but allow cross-platform (security keys,
+        // phone-as-authenticator) on devices without one (e.g. Linux desktops)
+        ...(platformAvailable ? { authenticatorAttachment: 'platform' as const } : {}),
       },
 
       // Don't request attestation (privacy)