[parliament32]

> add "must use attestation with passkeys" to their checklists

We already do. Mostly from the compliance side: I can't call passkeys "phishing-resistant" unless I can lock them down into unexportable passkey providers only. Some more details from a previous comment of mine:

From a corporate compliance perspective, I need to ensure that employee keys are stored in a FIPS-compliant TPM and unexportable. Key loss is not an issue because we have, ya know, an IT department. The only way I can ensure this happens is by whitelisting AAGUIDs and enforcing attestation.

With these factors I can also get out of the MFA hellhole (because I can prove that whitelisted vendor X already performs MFA on-device without me having to manage it: for example, WHFB requires something you have (keys in your TPM) and either something you are (face scan / fingerprint) or something you know (PIN), without me having to store/verify any of those factors or otherwise manage them). Same goes for passkeys stored in MS Authenticator on iOS/Android.

[jesseendahl]

>I can't call passkeys "phishing-resistant" unless I can lock them down into unexportable passkey providers only

I don't think this is accurate. As far as I know, no credential managers (except for maybe KeePassX) allow export of passkeys, and will instead only allow for secure transfer via the new Credential Exchange Protocol.

[parliament32]

> secure transfer via the new Credential Exchange Protocol

If it's "transferable", it's not phishing-resistant (ie it's possible for a user to get bamboozled into transferring their keys to a bad actor), right? Regardless of mechanism.

You might've missed the "FIPS" part as well. This requirement effectively means the keys (or the keys to decrypt the keys) must be stored in a tamper-resistant hardware crypto device (read: your TPM) and basically no credential managers (apart from the first-party ones we have whitelisted) use the TPM for storing your keys.