The spec has issues due to usual RFC bullshit and corporate greed, but as per usual the viewpoint here is too narrow. I’m running my own open source authentication stack and choose what attestations are acceptable, say only allow the FIPS version of Yubikeys. That feature exists because companies want to be able to control which methods they consider secure enough for their own employees. This tech was built for corporate security, using it externally facing with end-users is a bolted on after the fact idea. Having control is necessary, it does not make the spec evil.

Now say GitHub enable attestations that only allow Windows Hello passkeys to go through, then yes that’s technically possible. It would also be a support nightmare so they won’t. (It’s already a support nightmare for anyone limiting devices since for example security key vendors regularly forget to publish their fingerprints for new products.)

The whole biometrics thing? Total red herring. UV can be enabled in many different ways and totally “faked” as well, which is what all the software implementations do such as Bitwarden. Only way to stop it is approvelisting specific devices, see point above.

There’s also the ADHD DLC variant of: I put it down wherever I suddenly completely context swapped to something that needed my hands free and have no idea what I was previously doing, what I had in my hands and where it might now be.

I feel like you’re missing the point a bit. Living by values you hold dear is not losing, winning or even necessarily a cause. If your values happen to align with a cause, then supporting it in a way you can is at least somewhat fulfilling.

Now, there are definitely people who join a cause for tangential reasons. For example because they are a vehicle to what they want, such as someone who wants to build and use explosives can just as easily become a fundamentalist, anarchist or fascist. (And history has examples of these sordid folks.) They barely care about any of the causes and will drift wherever they can live by their own values, even if it’s about blowing shit up.