zlacker

> Apple and Google discontinued attestation when they introduced passkeys. It's gone.

It would be great if you’re correct, but these references sure seem to indicate that attestation is still a thing.

Microsoft, November 2024: https://learn.microsoft.com/en-us/entra/identity/authenticat...

Yubico: https://developers.yubico.com/Passkeys/Passkey_relying_party...

Apple: https://developer.apple.com/documentation/devicemanagement/s...

Apple: https://support.apple.com/guide/deployment/managed-device-at...

Google, September 2024: https://android-developers.googleblog.com/2024/09/attestatio...

A Tour of WebAuthn, December 2024 (aka the fine article): https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn...

>>eadmun+(OP)
Android exclusively supports attestation for non-discoverable/synchronized keys, i.e. not passkeys. This also matches my observation that by opting in to attestation, you're automatically opting out of discoverable credentials and vice versa. (I don't remember from the top of my head which one you get if you both require attestation and discoverable credentials.)

TIL that Apple still supports attestation for MDMed devices, but MDM means corporate/enterprise managed devices, not regular iPhones and Macs. (I also suspect that these would be non-synchronized in the same way that Google does it.)

Yubico and other "key form factor" authenticators indeed do still offer it, which is why I only mentioned Apple and Google.

So my point stands: Passkeys as implemented by Apple and Google don't support attestation. TFA also does not contradict this.

And how would they? Attestation semantically certifies that a given key will never leave secure embedded hardware; passkeys are intentionally cloud-synchronized and users can replicate them to an unlimited number of devices.