Basically, for hardware backed devices like phones and physical security keys, there's an attestation certificate that is shared by all devices of that model. This can allow a site that wants higher security for some reason to require this kind of proof that the key is protected from copying in hardware (eg bound to a specific device and can't be stolen via malware, theoretically) due to it being a model known to be secure. I'm not aware of specific sites requiring this though.
It is recommended that sites don't require it:
"It is important to be aware that requiring attestation is an invasive policy, especially when used to restrict users' choice of authenticator. For some applications this is necessary; for most it is not. [...] When in doubt, err towards being more permissive, because using a passkey is more secure than not using a passkey. [...] we recommend that you do not require a trusted attestation unless you have specific reason to do so."
https://developers.yubico.com/Passkeys/Passkey_relying_party...
That seems like truly terrible advice. The only example given:
> It may still be useful to request and store attestation information for future reference - for example, to warn users if security issues are discovered in their authenticators - but we recommend that you do not require a trusted attestation unless you have specific reason to do so.
If that’s the only application, that communication should happen through alternate channels like your browser/OS vendor itself. Having random websites be responsible for communicating whether a given attestation may indicate compromise is less than helpful and the probability of that actually happening correctly is about 0. Oh and given all the breaches, if there is a compromise, the attacker now has a helpful list of customers using compromised authenticators.
One application seems to be to use this to try to replace captcha but I wonder what kind of impact that will have on 3p authenticators. Without extra details, it may be right to be concerned this is a massive landgrab as to how people access online services.
Beautiful example of the limits of AI - it simply reiterates the comment in a seemingly informative way, but it doesn't actually understand it, so it really just states the same thing but more verbosely. Knowing nothing about Passkeys, it's also subtly wrong.
It's a bit anticlimactic how the hype is just dying down and everyone involved is just pretending they weren't just weeks ago crying wolf about the whole thing. Still I feel vindicated in my early assessment that it was mostly just empty hype about some chatbot.
