Yeah, I wrote this comment before I knew that Apple was dropping attestation. Them dropping attestation kind of renders the entire conversation moot, practically no one is going to require it if it means cutting off the entire Apple userbase. It's good news.
It's honestly kind of the best possible situation short of attestation being outright removed from the spec. My bank doesn't understand "I should be able to use real 2FA instead of a text message", but they will understand "I should be able to log in from a Mac."
What would happen if Apple just started using attestation at a later date? It is still in the spec after all. I could see some services being willing to drop Apple for competitive reasons. ChatGPT only works on Edge browser at the moment IIRC.
:shrug: that would be a very bad problem if it happened.
Removing it from the spec would be better for precisely this reason, but making it harder to use is the next best answer. Bing AI's browser restrictions for example are a pretty big restriction on the service -- that comes with penalties that will discourage many sites from going down that route.
If Google also drops attestation for synced keys then it would become even harder to use attestation, and harder for Apple to go back on its decision. But yes, you're right, it would be better to have stronger guarantees about the future.
It's honestly kind of the best possible situation short of attestation being outright removed from the spec. My bank doesn't understand "I should be able to use real 2FA instead of a text message", but they will understand "I should be able to log in from a Mac."