[dwaite]

Firefox and Chrome both prompt before disclosing the attestation information of your key, adding a UX tax to asking for attestations.

The protocol also does not have a way to get the browser to 'filter' potential authentication methods to just say a google titan key or iPhone 12. So while sites might determine whether to show the authentication options by scraping user agents like they always have, they can't get the browser to handle the user tapping the wrong kind of key. Instead, the browser has to repeatedly inform the user of what went wrong and drive the user through registration/authentication.

So websites _can_ restrict things to a particular form of authentication, but in many cases it may lead to a sub-par user experience. They may also need to tune this repeatedly, for instance to allow other browsers once Apple makes this available to them, or say pushing the authentication experience from desktop to phone or watch.

Since Android and Windows Hello support the same API, platform restrictions in particular have been just asking for more rope to hang yourself with. Such restrictions have been required up to this point because the platform support has been spotty (with Android being the current third place)