- Cloudflare had a "captcha" POC called "Cryptographic Attestation of Personhood" where you need to use a FIDO-approved token. It's reusing U2F just for the attestation part only. I don't think it ever go to production as most people don't have a token (but perhaps in the future hardware-locked passkey may serve as one...)
- Okta do have an option to enforce attestation. By default it is off, but in my Okta production I can limit the list to FIDO-approved vendor only, or to even a subset of them. They also have a beta feature flag for blocking Passkeys but allowing physical keys (which they do not guarantee success)
OK, so you gave two examples of systems that do NOT enforce attestation (one that is not in production, one that has an option to enforce attestation but is not apparently in use).
Are there any widely-used sites that actually enforce attestation?
People already do have issues with e.g. banking apps on mobile devices requiring OS attestation, so we can expect that once they know they can do the same for the most of their web clients (so probably once most people have moved onto Windows 11 which requires a TPM), they will.
It’s absurd, really. Attestation is clearly a feature intended for high security environments, where you want to ensure all employees use their corporate hardware authenticators and those only, yet people act like it’s big techs secret, evil mind control back door.
As a sibling comment explains, attestation isn't processed by common web browsers unless explicitly configured. Your bank can require attestation from you and limit you to a number of supported authenticators... But I don't quite see what that would get them, other than loosing customers? And to what end, to foster ecosystem lockin on behalf of Apple or Google? It doesn't make any sense. Hence: absurd.
Given the chance, why wouldn't companies abuse that feature like every single anti-user feature in the history of them? Surely this time it will be different?
The regulatory universe that banks operate in means that they're not like other companies. They don't share the same overall incentives, and aren't a useful point of comparison.
Non-default as in browsers should not provide any attestation information unless configured to via a setting in about:config (which can be automatically enabled by IT on a managed device), and mobile OSes should not provide attestation info to apps unless configured via some similarly buried setting that MDM can enable.
Basically put it there for nerds and IT where the device owner wants that extra security and coordinates with (or is) the service provider to set it up. For everyday use, it should be unavailable so that it's not used for lockin.
It's only a matter of time when it's this easy. Some essential service, most likely a bank, will inevitably turn it on in the future. And it only takes one of those to make all freedom respecting providers non-viable for someone. For our safety, of course. :)
- Cloudflare had a "captcha" POC called "Cryptographic Attestation of Personhood" where you need to use a FIDO-approved token. It's reusing U2F just for the attestation part only. I don't think it ever go to production as most people don't have a token (but perhaps in the future hardware-locked passkey may serve as one...)
- Okta do have an option to enforce attestation. By default it is off, but in my Okta production I can limit the list to FIDO-approved vendor only, or to even a subset of them. They also have a beta feature flag for blocking Passkeys but allowing physical keys (which they do not guarantee success)