I can kind of see it, but you can also just use an authenticator from any manufacturer, or have multiple types that you use? I'm just curious what I'm overlooking.
> I've encountered multiple sites that now use authenticatorAttachment options to force you to use a platform bound Passkey. In other words, they force you into Microsoft, Google or Apple. No password manager, no security key, no choices.
The hidden risk of attestation none: the user might (gasp) use a libre authenticator!
This same ordeal is why lots of Android software is intentionally broken on non-Google operating systems, and it would be a terrible blow for the web if it worked like that for every website with a login. Passkeys are that future, and it's very hard to take anyone who encourages their use seriously. Encouraging attestation, like here, is even worse.