[FreakLegion]

You're on a tangent from the discussion you're replying to. Individual services get to decide requirements for their users, but that's not at all the same as "banning" KeePassXC from the entire ecosystem.

Like, there are lots of services that require SMS or email link MFA. I guess KeePassXC is just banned from everything, then?

To repeat, the GitHub issue digiown linked is not a threat to ban KeePassXC. A random guy from Okta doesn't have that power. Okta itself doesn't have that power or want to have that power. The GitHub issue is simply a description of what attestation is.

[int_19h]

OPs point is that we shouldn't allow "individual services get to decide requirements for their users". If the spec requires being implemented in a way that allows that, it's a user-hostile spec.

[FreakLegion]

That wasn't their point and is orthogonal to their misunderstanding of the GitHub issue where, again, no threat is being made.

But in any case services do get to decide, because the service runs on someone else's computer, not yours. You get to decide what happens on your computer, they get to decide what happens on theirs.