> A site having the technical ability to determine not just its authentication mechanism but how that authentication mechanism is stored is not its choice and should not be its choice and is not its business.
If that site is legally held liable for fraud happening due to credential compromise, as (hopefully!) would be the case for e.g. consumer bank accounts, I'd say there is at least some legitimate interest.
> If that site is legally held liable for fraud happening due to credential compromise, as (hopefully!) would be the case for e.g. consumer bank accounts, I'd say there is at least some legitimate interest.
I kind of disagree honestly. I think consumer bank accounts are some of the least secure accounts I have online. My consumer bank account has removed 2FA options over time. They've literally gone backwards on security.
I don't think there's much evidence that holding banks liable for fraud means that they're going to responsibly make their services more secure. Consumer banks in the US at least are wildly behind the times on account security, and I really don't trust them to make choices about what device I use.
What I do think banks do is invest a lot of effort into looking secure, and I think that stuff like attestation would (if supported) provide an easy mechanism for them to look secure at the same time that they allowed anyone to get into my account with just a social security number and my mother's maiden name. So I feel like, don't even give them the option. There's so much they can do to improve security before we ever start talking about requiring users to use specific hardware devices. Let's have them catch up on basic industry practices before we have that conversation.
This is certainly true in the US in my experience, but not everywhere globally.
EU regulations require 2FA both for logins on unknown devices and for every transaction initiation (whether on a known/trusted or new session), for example. Often, this happens in the form of dedicated "authenticator apps" that currently take quite frustrating/ineffective security measures like trying to detect whether the device is rooted.
Attestation could at the same time make this actually secure and give users more freedom to e.g. use whatever OS/mod they want to (since the actual root of trust would be an external authenticator or potentially their phone's TEE/Secure Element, not the OS).
I guess if this was regulated to be optional or regulated in such a way that it could only be used for keeping keys on-device and couldn't be used for locking out other devices from making accounts, then I'd be OK with it.
But we don't have those regulations in the US, and banks here shouldn't have access to this. We are so behind on security, it just doesn't make sense to give them yet another tool to lock down devices while they're ignoring everything else they could be doing. I would at least advocate for some kind of pact from FIDO Alliance members that attestation will only be implemented for devices sold in countries that have that kind of regulation.
Or, maybe there's a way to do attestation where it's entirely user opt-in and isn't something that the service provider can dictate? Or maybe there's a way to do it where it can't be used to verify the OS/manufacturer during signup, and can only be used to verify that it's the same device where the credentials were created? I think I'd be OK with that existing.
If that site is legally held liable for fraud happening due to credential compromise, as (hopefully!) would be the case for e.g. consumer bank accounts, I'd say there is at least some legitimate interest.