Hacker News new | past | comments | ask | show | jobs | submit login

The issue, though, is attestation doesn't really do much for the site either. It's not like the bank wants to enable attestation because it's somehow more secure. It's only useful in cases where a company wants to say "we only want you to use Yubikeys because that's what HR has approved", not so much for sites mandating what their customers should use.

This is a bit like worrying that sites will block 1password and only allow LastPass. Why would they, even if they could?




> Why would they, even if they could?

Because people are not always rational? Or because non-technical people (and technical people too, just less often) don't always make good technical decisions?

I can totally imagine a case where non-techie Joe starts a small shop, wants a website, sees an ad for a cheap hosting for non-techies, one-click installs Wordpress, goes to settings and ticks the checkboxes because "require secure devices" sounds secure. Or some other reason - people do weird things all the time, I can't count how many times I've looked at someone's server or website (including my own, especially after some time passes) and wondered why something is weird or plain wrong.

You're probably right, though. Attestation is very unlikely to be an issue, if Passkey implementations that don't have it will be popular enough to matter soon enough. And given that 1Password is spearheading it and Apple doesn't have it either - this is probably going to be true.

Attestation could become a real issue only if vast majority of available implementations by the time sites will start to adopt Passkeys will all provide it. Then site owners could make those mistakes and not even realize them. But that's not what seems to be happening so I'm sure attestation won't be a big deal.


Attestation can be more detailed than just what brand of hardware key you use. Banks probably don't care.

But attestation also informs what the capabilities are. What banks (or others) might care about is whether or not you're using a TPM or equivalent to store your key in, and attestation can tell them that.


Fortunately, it seems that major providers don't support attestation. If no one provides attestation capabilities, no one would request it, not even someone as anti-user as a bank.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: