The spec has issues due to usual RFC bullshit and corporate greed, but as per usual the viewpoint here is too narrow. I’m running my own open source authentication stack and choose what attestations are acceptable, say only allow the FIPS version of Yubikeys. That feature exists because companies want to be able to control which methods they consider secure enough for their own employees. This tech was built for corporate security, using it externally facing with end-users is a bolted on after the fact idea. Having control is necessary, it does not make the spec evil.
Now say GitHub enable attestations that only allow Windows Hello passkeys to go through, then yes that’s technically possible. It would also be a support nightmare so they won’t. (It’s already a support nightmare for anyone limiting devices since for example security key vendors regularly forget to publish their fingerprints for new products.)
The whole biometrics thing? Total red herring. UV can be enabled in many different ways and totally “faked” as well, which is what all the software implementations do such as Bitwarden. Only way to stop it is approvelisting specific devices, see point above.
The spec has issues due to usual RFC bullshit and corporate greed, but as per usual the viewpoint here is too narrow. I’m running my own open source authentication stack and choose what attestations are acceptable, say only allow the FIPS version of Yubikeys. That feature exists because companies want to be able to control which methods they consider secure enough for their own employees. This tech was built for corporate security, using it externally facing with end-users is a bolted on after the fact idea. Having control is necessary, it does not make the spec evil.
Now say GitHub enable attestations that only allow Windows Hello passkeys to go through, then yes that’s technically possible. It would also be a support nightmare so they won’t. (It’s already a support nightmare for anyone limiting devices since for example security key vendors regularly forget to publish their fingerprints for new products.)
The whole biometrics thing? Total red herring. UV can be enabled in many different ways and totally “faked” as well, which is what all the software implementations do such as Bitwarden. Only way to stop it is approvelisting specific devices, see point above.