[jsnell]

This is neither a new idea or a good one. Cloudflare did a PR launch of pretty much the same thing a few years back, and that you haven't actually seen it in the wild probably tells you all you need to know about how useful it is.

Webauthn is not an integrity attestation; it doesn't tell you anything about how trustworthy the client is. Nor is it a uniqueness attestation; an attacker can mint an arbitrary number of different identities at basically no cost. It's a primitive for building account security systems, not one for building abuse prevention ones.

Some relevant HN threads:

https://news.ycombinator.com/item?id=27141593

https://news.ycombinator.com/item?id=27153254

https://news.ycombinator.com/item?id=27500326

[blibble]

there is attestation of the registration device in webauthn

so you can tell that a token was signed by an official yubikey, apple secure enclave, tpm, etc

for yubikeys the attestation signing certificate is shared between devices, but this number is limited

so you could rate limit... just it would be a horrible experience when you are limited

[solardev]

What about for software implementations like 1Password and Bitwarden?

[voxic11]

They can't fake the attestation from hardware implementations so you could just reject keys from software implementations.

[ranger_danger]

Wouldn't companies/bots/etc. still just get around this by buying many such hardware devices and automating their usage instead?

[ale42]

So what about users that don't have any such hardware?

[tzs]

Use a CAPTCHA?

[ale42]

Yes of course, but I hope this is part of the plan. Too often new technologies seem to leave some people apart, because the deciders don't think (or don't want to think) about those who don't want to (or can't) embrace a specific technology.

[wkat4242]

Yeah but that breaks real usecases from real users.

It's really annoying, PayPal does this too. They only support passkeys in safari or chrome, even though it works just fine with a yubikey in Firefox. They just go out of their way to stop it from working. Really really annoying.

And they also refuse to enroll more than one token even for the basic fido2 mfa.

[doctorpangloss]

I don’t see that in the code. But you’re right that there is something heuristic you can do.

[yonixw]

Here is a relevant discussion about it in S/O: https://stackoverflow.com/questions/67797804/how-to-distingu...

[blibble]

the cynic in me thinks this will become mandatory on major websites at some future point

so you won't be able to log into youtube unless you have a TPM approved by Google