|
|
|
|
|
|
by ndriscoll
740 days ago
|
|
|
Attestation does not belong in a standard that's used with consumer devices. Make the payloads extensible so that corporations/gov can add their own attestation data as an extension if they want, but websites have no business being able to enforce whether I am using a Microsoft or Google approved device, and e.g. banks inevitably will unthinkingly add it as a "best practice" if it's there (they already do this with mobile apps). This decreases user security as the options we all know will make up the acceptable list are compromised with built-in malware today. |
|
|
I don’t think it’s realistic to expect browsers to not support attestation.
Business is already able to use attestation to enforce/deny the use of specific kinds of keys. Removing this ability would break web based SSO for businesses that rely on that ability. For example, if that vanished overnight then the only way I’d be able to login to our Entra tenant is via a break glass account that is exempt from attestation.
If you want your bank employees to be able to authenticate to web applications with _only_ approved authenticators, then attestation is the way that is accomplished.
You can do FIDO2 Enterprise Attestation as well, but those devices aren’t generally available outside of (rather pricy) enterprise sales channels and require more overhead.
Device attestation with consumers is already unpopular. Google experienced this recently with their “Web Environment Integrity” ~~con~~ proposal. It’s also a logistical nightmare. If Apple, for example, supported attestation then anyone who implements it now has a bunch of additional headaches in keeping it updated with fingerprints and the risk of extra failure cases.
The people who want attestation for consumers don’t have their interests at heart, and the people who would have to implement attestation in consumer devices aren’t interested in doing that. Except for Google, because it suits their interests.
I’m not saying the case is strong that attestation won’t happen. I’m simply saying the case for attestation in business contexts is strong, is already deployed and relied upon. The interest for consumer attestation isn’t very well aligned with those who have to do the work to make it happen. Google is an exception to that and sound technical and policy minds keep showing their attempts the door.
Edit to add: for better or worse, consumer and business devices are virtually the same these days. I would argue it’s worse to bifurcate them because that would enable rapidly realizing the world none of us want where no one has any control over any part of their device unless it’s owned by a business.