[jeroenhd]

The spec tells websites to please not do validation on specific hardware. You can do a light form of remote attestation, but you'll have to convince the user to use passkeys only and not some kind of username+password backup, which is still a tough sell.

If you want remote attestation, Safari already has it, but I'm not sure if their attempt at standardising is going anywhere. It's been a while since the draft got updated or mentioned anywhere.

[lxgr]

> If you want remote attestation, Safari already has it

No, Safari/Apple gave up on remote attestation when they introduced passkeys, except for MDM devices where the MDM profile can allow attestation for RP domains on an opt-in basis.

[jesseendahl]

>except for MDM devices where the MDM profile can allow attestation for RP domains on an opt-in basis.

And even then, the attestation you get in that scenario is just an attestation that the passkey was created on a managed device. It is not a hardware/device attestation.

[lxgr]

But only Apple devices can be managed, and presumably that’s in turn attested to by Apple cryptographic keys in hardware?