[drdaeman]

Exactly! :-)

Companies aren't willing to lose customers at scale, but they aren't doing anything for the customers if they won't lose them anyway. For most services, most customers except for some diehard ideologists would just bend over and begrudgingly go with the attested option. And a company won't bother using engineer's time if it's only a few people.

So minimum-value random internet blog is probably not going to require attestation - except if they have no idea about it whatsoever and will just use some off-the-shelf solution and enable it because it sounds more secure, without realizing the issue. Anything that has significant value will do as they please and customers may voice some unhappiness, but will obey. And as long as voiced unhappiness is minor (there are always other issues) it will be ignored as not something worth spending resources on (even understanding the issue requires some valuable time).

[stavros]

The issue, though, is attestation doesn't really do much for the site either. It's not like the bank wants to enable attestation because it's somehow more secure. It's only useful in cases where a company wants to say "we only want you to use Yubikeys because that's what HR has approved", not so much for sites mandating what their customers should use.

This is a bit like worrying that sites will block 1password and only allow LastPass. Why would they, even if they could?

[drdaeman]

> Why would they, even if they could?

Because people are not always rational? Or because non-technical people (and technical people too, just less often) don't always make good technical decisions?

I can totally imagine a case where non-techie Joe starts a small shop, wants a website, sees an ad for a cheap hosting for non-techies, one-click installs Wordpress, goes to settings and ticks the checkboxes because "require secure devices" sounds secure. Or some other reason - people do weird things all the time, I can't count how many times I've looked at someone's server or website (including my own, especially after some time passes) and wondered why something is weird or plain wrong.

You're probably right, though. Attestation is very unlikely to be an issue, if Passkey implementations that don't have it will be popular enough to matter soon enough. And given that 1Password is spearheading it and Apple doesn't have it either - this is probably going to be true.

Attestation could become a real issue only if vast majority of available implementations by the time sites will start to adopt Passkeys will all provide it. Then site owners could make those mistakes and not even realize them. But that's not what seems to be happening so I'm sure attestation won't be a big deal.

[JohnFen]

Attestation can be more detailed than just what brand of hardware key you use. Banks probably don't care.

But attestation also informs what the capabilities are. What banks (or others) might care about is whether or not you're using a TPM or equivalent to store your key in, and attestation can tell them that.

[drdaeman]

Fortunately, it seems that major providers don't support attestation. If no one provides attestation capabilities, no one would request it, not even someone as anti-user as a bank.