[md_]

The nice thing about FIDO is that I can use the same USB key for a bunch of different websites. I have a single key on my keyring, and I use it for Github, for my brokerage, for Gmail, for my work, etc.

And the reason I can do that is because my work cares that I use a FIPS compliant key, but nobody else does—because consumer RPs don’t do this.

Have you encountered any consumer RP enforcing attestation? Or is this concern of yours totally speculative?

I don’t know what this Bank of America card you refer to is, but presumably it was phishable auth, since it had an LCD key? Without a standard supported by user-agents, I don’t know how someone would enforce an out-of-band/unphishable auth mechanism like FIDO+Webauthn on their own, but I’m curious to hear you explain it!