It took Apple to implement passkeys, for FIDO auth to become as popular as it is today. Apple does not attest because they were lazy. So yes, AFAIK only a few finance sites require attestation. (For internal auth, many IdPs can optionally require attestation, from limited signing authorities. Through federation this attested auth can be used elsewhere but I don't know of any mechanism for asserting that to any relying party.)
Yes, lazy. They knew that passkeys needed to be portable to other devices. Otherwise backups (well, recovery) would be impossibly difficult, as is the case with U2F today. The way the keys are passed around by Apple does not expose them, but they didn't bother to build an ecosystem where an attestation could also be portable (think: Security World). Why bother (it's fairly hard) when you can just not attest, and you have the weight to force everyone to accept it anyway? As long as you are within the Apple ecosystem, using a legitimate hardware-generated passkey, the attestation doesn't matter anyway. So screw everyone else.
FIDO should have rejected this approach but from the very beginning they were captured by the largest corporate interests.
Now to get back to your doubt, if a registration is attested, I would be surprised if it is ignored.
This is not an accurate description of the point of Fido phishing resistance. It isn't to make a bank feel happy the user has a hardware key unless you choose attestation. It is to make the user happy that if they click the key they know is hardware on the wrong site then that site can't MITM a site they intend to authenticate to.
(Stopping users from reusing the protocol for security between passwords and real hardware keys is basically just forcing the DRM for SaaS aspect of attestation on people because you can. If you aren't the kind of institution that issued real tokens to account holders then it is none of your business.)
It's not "lazy", it's "impossible". If you want to have synced keys, you need to have them unencrypted. Otherwise, you need to be able to establish secure links between various secure hardware storage devices.
Apple can do that within their infrastructure, perhaps. But there's just no way to do that across multiple vendors.
> FIDO should have rejected this approach but from the very beginning they were captured by the largest corporate interests.
Why? Passkeys are a perfect replacement for login/password pairs. Their implementations can also be secured as much as possible by each vendor.
And you _can_ require attestation in your WebAuthn implementation, if you think that your data is too precious.
Apple used to support attestation, so while their decision to discontinue it for passkeys might have many possible motivations, laziness is the least likely in my view.
My personal take is that they've done the world a favor by removing it. If they hadn't, Google would have probably followed suit (possibly even doing it in software using some handwavy "Safety Net" arguments), and 1Password, Bitwarden, Keepass etc. would be locked out of more and more sites.
Apple has made clear statements in places such as WWDC talks that they believe attestations are bad for consumer privacy and consumer choice (migrating between Passkey providers, using Password Managers of their choice). They support attestations in very specific enterprise scenarios, so they didn't lazily ignore the work altogether, they just locked it behind a security fence (MDM environments).
Apple has put in extra work to champion other (optional) parts of the spec trying to provide some of what attestation was built to do, but in more privacy-focused/privacy-preserving ways.
> FIDO should have rejected this approach but from the very beginning they were captured by the largest corporate interests.
From the standpoint of consumer Passkey privacy it certainly feels a lot more that attestations were the capture by the largest corporate interests (both Google and Microsoft championed for them as core parts of the specs), and Apple's lone dissent of the big three is the one thing stopping FIDO from having made attestations required rather than optional.
> I wanted cryptographic proof the signature is correct before trying to forge my own.
But you aren't forging anything? You are producing a signature from your own key material? I could be missing something important, certainly. But wouldn't this be earth shattering if you can forge a p256 signature? Apologies if I'm just not getting it.
> Today we will: ... Explore [...] cloning credentials.
Perhaps I didn't read it well enough yet, but I don't see any cloning going on here.
Lastly, a lot of work was done reverse engineering that could also have happened just from reading docs. I suppose from the POV of implementing a software passkey, it's useful to have written the tracing tools for help validating your own implementation. But it's presented as if you were uncovering a secret part of the protocol.
> Do Big Sites Care?
A more important question is: should they? Left as an exercise.
> reverse-engineering CTAP2 at the byte level,
Is it reverse-engineering? Feels more like decoding. Forgive me again if I didn't understand.
Their own key would not work (unless the attacker persistently MITMs them and swaps their own credential in for every subsequent authentication) or they'd see multiple credentials being present in their account.
It's also a good idea to send out an email for every new credential added.
Pretty confident that is out of scope for any reasonable threat model.
The security story for signature counters is subtle[2] and the vast (vast) majority of sites are correct not to require them.
Using the Chrome virtual authenticator indeed works, and from the DevTools UI directly (three dots -> More Tools -> WebAuthn), no sockets required. It's not a vulnerability that it works. If it didn't, Apple, Google, and Microsoft would be effectively the only possible passkey providers. You can lock it down in enterprise environments if you need[3].
[1] https://www.w3.org/TR/webauthn-3/#sctn-sign-counter [2] https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn... [3] https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn...
rlpb•4d ago
Didn't we already know this?
vmfunc•3d ago
ThePowerOfFuet•5h ago
nullpt_rs•3d ago
didntcheck•6h ago
Edit: I may be misunderstanding the scope of attestation in a FIDO/Webauthn context. Is it a legitimate concern that it would lock out other OSes, or would you simply need a hardware key (or perhaps a TPM), but could run what you want above it?
mjg59•6h ago
tialaramex•5h ago
We know from the Web PKI how this goes. People who have no idea what they're doing copy-paste a "good" list in 2025, but in 2035 the fact a third of vendors on that "good" list are now known villains and another third went bankrupt doesn't change the problem that stuff on the list works and everything else doesn't, because it was mindlessly copy-pasted
Narrowly, the vendor attestation could make sense if you're BigBank and you bought every employee (or maybe every customer, I wish) a FooCo security key, you can require FooCo security keys. If you're big enough you could have FooCo make you a custom model (maybe with your company logo) and attest every key is the custom model. I expect Yubico would sell you that product, if you were willing to commit to the volume. You get assurance of the exact hardware properties, and you retain the option to shop around by updating your software to trust different attestation. IMO not worth standardizing, but people really wanted this and better it exists but isn't used than it doesn't exist so they walk away.
jeroenhd•6h ago
If you want remote attestation, Safari already has it, but I'm not sure if their attempt at standardising is going anywhere. It's been a while since the draft got updated or mentioned anywhere.
lxgr•4h ago
No, Safari/Apple gave up on remote attestation when they introduced passkeys, except for MDM devices where the MDM profile can allow attestation for RP domains on an opt-in basis.
cyberax•5h ago
TPMs can't create hardware-attested passkeys, at least they couldn't do that with the TPM 2.0 spec.
And you can just use a USB hardware token to get attested keys. Or you can use WebAuthn over Bluetooth to your phone, essentially using your phone's secure enclave (or its equivalent) as the key source.
Being able to require attested passkeys is a _good_ thing.
ndriscoll•5h ago
cyberax•4h ago
That's the point.
> and you're requiring people to go buy another device for little to no real security benefit.
No. The benefit is clearly there: hardware-originated keys can not be stolen under any normal circumstances. Meanwhile, synced passkeys are just fancy login/password pairs, so they can be exfiltrated by an attacker. E.g. by scanning the RAM of the passkey manager.
Of course, the operating system can try to add additional barriers, but the underlying keys must at some point be in clear text form.
ndriscoll•3h ago
Normal people are however not concerned with these Mission Impossible scenarios, and random passwords are good enough while being easy to use without an IT department to fix when it goes wrong. A password manager (which every browser has built in) already associates passwords to domains for phishing resistance. Users already should never need to enter a password manually unless the site did something stupid to try to block the password manager from working.
lxgr•16m ago
That’s an overly reductionist view.
Lots of password compromises still happen due to credential reuse across services, server-side compromises paired with brute-force-able passwords, and phishing/MITM attacks, and software-based WebAuthN credentials prevent all of these.
lxgr•5h ago
As far as I remember, attestation is fully gone on iOS ("Passkeys" or otherwise), and mostly gone on Android too.
cyberax•5h ago
lxgr•4h ago
It's unfortunately not possible to even request a non-synced credential anymore for non-MDM-approved websites.
parliament32•5h ago
We already do. Mostly from the compliance side: I can't call passkeys "phishing-resistant" unless I can lock them down into unexportable passkey providers only. Some more details from a previous comment of mine:
From a corporate compliance perspective, I need to ensure that employee keys are stored in a FIPS-compliant TPM and unexportable. Key loss is not an issue because we have, ya know, an IT department. The only way I can ensure this happens is by whitelisting AAGUIDs and enforcing attestation.
With these factors I can also get out of the MFA hellhole (because I can prove that whitelisted vendor X already performs MFA on-device without me having to manage it: for example, WHFB requires something you have (keys in your TPM) and either something you are (face scan / fingerprint) or something you know (PIN), without me having to store/verify any of those factors or otherwise manage them). Same goes for passkeys stored in MS Authenticator on iOS/Android.
lxgr•4h ago