It seems like it will only be a matter of time before consumer sites start requiring a patched OS with an attestation bit set in the key.
replyAlso, as I understand it, sites can whitelist credential hardware.
If not, then the attestation is security theater. I (or an attacker on your machine), can just make a sw emulator of a hw attestation device, and use that to protect my choice of OS, (and skim your credentials).
If a whitelist exists, then my “hijack your OS” plan works: Require the builtin macos/windows/signed chrome on signed os password managers. That’s 90% of the market (and dropping) right now.
As I said, the attestation structurally does NOT attest to your OS or your browser that are displaying the website performing the authentication. It attests to the device that holds the passkey's key material, which is usually not your desktop computer.
replyThe attestation is in fact readable by the FIDO Platform (the browser/OS). It is not encrypted to be readable only by the RP (web site).
replyIt talks about whatever you used to authenticate and the platform can manipulate (or omit) it.
Yes, but the attestation does not tell the RP anything about the browser. The whole point of the nightmare scenario above was for Google to sneak browser attestation in via passkey attestation. The browser being able to see the attestation doesn’t matter for that.
replyDoes Firefox support the Bluetooth flow on Linux at this time?
replyThat's a matter of implementing an open standard. Google hasn't done anything to prevent open source browsers and OSes from implementing it, and nothing in the spec makes it difficult for Firefox/Linux specifically AFAICT.
replyI do not want any business with Apple/Google/Microsoft at all, including owning an Android or iPhone for hardware attestation.
replyYou don't need to use anything from Apple/Google/Microsoft. Passkeys are just WebAuthn which is an open standard.
replyAn open standard that has attestation in it which allows sites to block all open implementations. FIDO Alliance spec writers have even threatened that apps like KeepPassXC could be blocked in the future because they allow you to export your keys.
reply