I assume you're talking about attestation here, not authentication? My question is, as always:
> At least none of the existing implementations do.
So why isn't that in the spec?
Unless something has changed in the past month or so, the only reason why attestation for roaming keys is less of an issue is because Apple has voluntarily completely of its own volition decided to zero out information in its implementation. That's turned out not to be enough; it's trivial to find accounts online of people complaining that they've tried to register passkeys from alternate providers and have found out that websites are checking browser agents or using other measures to restrict which keys can be registered.
But ignoring that and only focusing on actual attestation using the mechanisms that FIDO has built into WebAuthn, why is an Open standard relying on Apple's goodwill for such an important decision? Why do we have a standard that specifies how to lock down devices through hardware attestation and that relies on providers optionally choosing to do the right thing and ignore that mechanism, but that thinks it would be overreaching for the Alliance to mandate ecosystem transfer or to block discrimination against providers/authenticators?
> ...it's trivial to find accounts online of people complaining that they've tried to register passkeys from alternate providers and have found out that websites are checking browser agents or using other measures to restrict which keys can be registered.
I knew this was going to happen but I thought they'd wait until there was more broad adoption before the screws started turning.
> At least none of the existing implementations do.
So why isn't that in the spec?
Unless something has changed in the past month or so, the only reason why attestation for roaming keys is less of an issue is because Apple has voluntarily completely of its own volition decided to zero out information in its implementation. That's turned out not to be enough; it's trivial to find accounts online of people complaining that they've tried to register passkeys from alternate providers and have found out that websites are checking browser agents or using other measures to restrict which keys can be registered.
But ignoring that and only focusing on actual attestation using the mechanisms that FIDO has built into WebAuthn, why is an Open standard relying on Apple's goodwill for such an important decision? Why do we have a standard that specifies how to lock down devices through hardware attestation and that relies on providers optionally choosing to do the right thing and ignore that mechanism, but that thinks it would be overreaching for the Alliance to mandate ecosystem transfer or to block discrimination against providers/authenticators?