[9dev]

It’s absurd, really. Attestation is clearly a feature intended for high security environments, where you want to ensure all employees use their corporate hardware authenticators and those only, yet people act like it’s big techs secret, evil mind control back door.

[jeltz]

What is absurd about expecting companies to do what many internet banks in some countries already do?

[9dev]

As a sibling comment explains, attestation isn't processed by common web browsers unless explicitly configured. Your bank can require attestation from you and limit you to a number of supported authenticators... But I don't quite see what that would get them, other than loosing customers? And to what end, to foster ecosystem lockin on behalf of Apple or Google? It doesn't make any sense. Hence: absurd.

[hooverd]

Given the chance, why wouldn't companies abuse that feature like every single anti-user feature in the history of them? Surely this time it will be different?

[9dev]

Because it’s highly annoying to set up in a way that doesn’t massively inflate your support cost.

[jeltz]

This has not stopped banks in the past.

[growse]

The regulatory universe that banks operate in means that they're not like other companies. They don't share the same overall incentives, and aren't a useful point of comparison.

[ndriscoll]

If it's only meant to be used for those environments, then attestation data should not be provided by default. IT can enable it on managed devices.

[growse]

It's up to the provider as to whether they provide or not. I don't think there's a "default"?

I seem to remember that apple specifically don't provide attestation details on their implementation.

[ndriscoll]

Non-default as in browsers should not provide any attestation information unless configured to via a setting in about:config (which can be automatically enabled by IT on a managed device), and mobile OSes should not provide attestation info to apps unless configured via some similarly buried setting that MDM can enable.

Basically put it there for nerds and IT where the device owner wants that extra security and coordinates with (or is) the service provider to set it up. For everyday use, it should be unavailable so that it's not used for lockin.

[growse]

Browsers should follow the spec.

Whether or not attestation data is passed onto the browser is a decision the passkey provider can make.