|
|
|
|
|
|
by ndriscoll
607 days ago
|
|
|
Non-default as in browsers should not provide any attestation information unless configured to via a setting in about:config (which can be automatically enabled by IT on a managed device), and mobile OSes should not provide attestation info to apps unless configured via some similarly buried setting that MDM can enable. Basically put it there for nerds and IT where the device owner wants that extra security and coordinates with (or is) the service provider to set it up. For everyday use, it should be unavailable so that it's not used for lockin. |
|
|
Whether or not attestation data is passed onto the browser is a decision the passkey provider can make.