"In particular it is what tells a website if you have a Yubikey plugged in versus something like 1password. This is the mechanism by which the Austrian government, for instance, prevents you from using an Open Source or any other software-based authenticator to sign in to do your taxes, access medical records or do anything else that is protected by eID. Instead you have to buy a whitelisted hardware token."
"Attestations themselves are not used by software authenticators today, or anything that syncs. Both Apple and Google do not expose attestation data in their own software authenticators (Keychain and Google Authenticator) for consumer passkeys. However, they will pass through attestation data from hardware tokens just fine. Both of them also, to the best of my knowledge, expose attestation data for enterprises through Mobile Device Management."
Passkeys are replacing usernames and passwords and likely benefit many consumers, but the underlying standard contains mechanisms that enable restrictive behaviors. The attestation system lets an authenticator reveal its type to a relying party, distinguishing hardware tokens from software-based authenticators. Governments or enterprises can use attestation to require specific whitelisted hardware, blocking open source or synchronized software authenticators for sensitive services. Major platform vendors do not expose attestation data for consumer software passkeys but pass through hardware token attestations and can surface attestation via Mobile Device Management for enterprises. The attestation API has already been used to restrict authentication choices in governmental systems, raising lock-in risks. Exporting private keys between password managers is currently not supported, increasing migration friction.
Read at Armin Ronacher's Thoughts and Writings
Unable to calculate read time
Collection
[
|
...
]