[md_]

> The point is that it takes that choice out of the users' hands.

Unclear to me why you think the user--and not the IdP--should have the final say here.

> You shouldn't. That's like expecting to be able to use your work laptop for personal stuff.

Except FIDO identities are unlinkable even if using the same hardware.

[dcow]

Because for consumer auth we just go back to the CA oligarchy and client certs nobody uses if we rely on trusting vendor attestation.

I understand for a corporate setup employees are threat vectors. But that depressing outlook isn't how most people view the consumer space. We want: consumer x signed this auth challenge. We do not want: authority Y said consumer X signed this auth challenge. That’s just CA SSO style oligarchy repeated.

Why wouldn't you trust the consumer and their preferred authentication agent to participate in an authentication challenge? Consumer apps don’t need to ensure that consumers are using a hardware token device they just need to arrange an authentication dance that doesn't involve a shared secret.

[md_]

It depends a lot on the situation. I think it’s reasonable, for example, for banks who have different liability standards depending on how transactions are authenticated to require batch attestation.

But like I said, most consumer IdPs aren’t doing attestation checks, and it’s discouraged, so I think you’re making a big deal of it. :)

[octoberfranklin]

I had a Bank of America token-card (the one with the LCD display and button) until they discontinued it. Those things are fine. It was no larger or heavier than their ATM card, and in fact some banks combined the two into a single card. There was no need for any FIDO-like standardization or certification authorities there because the same entity (the bank) had provided both ends of the authentication conversation (the token card and the bank's website).

If a bank feels the need to control the hardware I use, they must provide that hardware. Their needs absolutely do not entitle them to impose codesigning/bootloader-locking requirements on my other devices, such as my phone or my laptop.

> aren’t doing attestation checks, and it’s discouraged

That will change. If it weren't, they wouldn't have bothered putting it into the spec. Or they could have used symmetric cryptography for attestation, like the bank-issued token cards and the chip in your chip-and-PIN card do.

[md_]

The nice thing about FIDO is that I can use the same USB key for a bunch of different websites. I have a single key on my keyring, and I use it for Github, for my brokerage, for Gmail, for my work, etc.

And the reason I can do that is because my work cares that I use a FIPS compliant key, but nobody else does—because consumer RPs don’t do this.

Have you encountered any consumer RP enforcing attestation? Or is this concern of yours totally speculative?

I don’t know what this Bank of America card you refer to is, but presumably it was phishable auth, since it had an LCD key? Without a standard supported by user-agents, I don’t know how someone would enforce an out-of-band/unphishable auth mechanism like FIDO+Webauthn on their own, but I’m curious to hear you explain it!