[ndriscoll]

Because a standard with device attestation should be rejected outright, real world implementations use it as a form of lock-in, and password managers are more ubiquitously available anyway (e.g. I can't use passkeys on my primary computer, which doesn't have the necessary hardware). This would be different if browsers added software implementations with easy export first and removed the attestation part of the standard, but they didn't.

[TheNewsIsHere]

I see device attestation is a different issue. Passkeys don't have to have device attestation. FIDO2 has long-supported this already in the form of AAGUIDs [1] which do address a valid use case of wanting to restrict the kinds of authenticators that can be used. For example if you have FIPS requirements.

I do agree that passkeys, implemented in software, should categorically prohibit attestation. I think the cost of needing attestation should be that you have to require/invest in the actual hardware tokens.

[1] https://support.yubico.com/hc/en-us/articles/360016648959-Yu...

[ndriscoll]

Attestation does not belong in a standard that's used with consumer devices. Make the payloads extensible so that corporations/gov can add their own attestation data as an extension if they want, but websites have no business being able to enforce whether I am using a Microsoft or Google approved device, and e.g. banks inevitably will unthinkingly add it as a "best practice" if it's there (they already do this with mobile apps). This decreases user security as the options we all know will make up the acceptable list are compromised with built-in malware today.

[TheNewsIsHere]

We agree in general terms.

I don’t think it’s realistic to expect browsers to not support attestation.

Business is already able to use attestation to enforce/deny the use of specific kinds of keys. Removing this ability would break web based SSO for businesses that rely on that ability. For example, if that vanished overnight then the only way I’d be able to login to our Entra tenant is via a break glass account that is exempt from attestation.

If you want your bank employees to be able to authenticate to web applications with _only_ approved authenticators, then attestation is the way that is accomplished.

You can do FIDO2 Enterprise Attestation as well, but those devices aren’t generally available outside of (rather pricy) enterprise sales channels and require more overhead.

Device attestation with consumers is already unpopular. Google experienced this recently with their “Web Environment Integrity” ~~con~~ proposal. It’s also a logistical nightmare. If Apple, for example, supported attestation then anyone who implements it now has a bunch of additional headaches in keeping it updated with fingerprints and the risk of extra failure cases.

The people who want attestation for consumers don’t have their interests at heart, and the people who would have to implement attestation in consumer devices aren’t interested in doing that. Except for Google, because it suits their interests.

I’m not saying the case is strong that attestation won’t happen. I’m simply saying the case for attestation in business contexts is strong, is already deployed and relied upon. The interest for consumer attestation isn’t very well aligned with those who have to do the work to make it happen. Google is an exception to that and sound technical and policy minds keep showing their attempts the door.

Edit to add: for better or worse, consumer and business devices are virtually the same these days. I would argue it’s worse to bifurcate them because that would enable rapidly realizing the world none of us want where no one has any control over any part of their device unless it’s owned by a business.

[hedora]

Attestation is going to be abused. The only thing it is useful for is establishing centralized control over client software. That'll eventually imply that all clients are user hostile, probably both from a surveillance capitalism perspective, and from a government surveillance perspective.

This isn't a theoretical concerns. All of the groundwork (except device attestation at login) has already been laid:

- The US CLOUD act already says that service providers have to provide the government with access to all information they're technically capable of accessing.

- Microsoft's existing client debugging mechanisms allow them to pull files from windows machines with management approval.

Once there's a de facto ban on running web browser binaries that aren't produced by a FAANG (established by the passkey standard), all the vendors have to do is add MS-style telemetry / debugging, and it's game over. In all likelihood, there will be legislation in a few years that forces any holdouts to implement that sort of a mechanism.