[jaredhanson]

Attestation is an option in the FIDO ecosystem, and it is up to each website whether or not attestation is needed. Attestation is often required in enterprise settings. While consumer adoption of WebAuthn is incredibly low, the introduction of passkeys and multi-device credentials looks poised to change that.

For consumer scenarios, attestation is often not a requirement. In that case, FIDO offers the "none" and "self" attestation modes. None conveys no attestation. Self attestation involves a per-website key pair. Either of these modes are privacy and DIY friendly.

[tjoff]

Well, cloudfare seems to be doing it to combat bots.

We actually managed to invent something even worse than passwords. Incredible.

[pornel]

Why are you so negative about this? It works pretty well as an authentication mechanism. Unlike passwords, it can't be leaked or phished.

As for Cloudflare use, it's an experimental hack. An option to avoid filling in a CAPTCHA in case you have a compatible hardware key. You don't have to have one, and you don't have to use it for this if you don't want to.