zlacker

Android exclusively supports attestation for non-discoverable/synchronized keys, i.e. not passkeys. This also matches my observation that by opting in to attestation, you're automatically opting out of discoverable credentials and vice versa. (I don't remember from the top of my head which one you get if you both require attestation and discoverable credentials.)

TIL that Apple still supports attestation for MDMed devices, but MDM means corporate/enterprise managed devices, not regular iPhones and Macs. (I also suspect that these would be non-synchronized in the same way that Google does it.)

Yubico and other "key form factor" authenticators indeed do still offer it, which is why I only mentioned Apple and Google.

So my point stands: Passkeys as implemented by Apple and Google don't support attestation. TFA also does not contradict this.

And how would they? Attestation semantically certifies that a given key will never leave secure embedded hardware; passkeys are intentionally cloud-synchronized and users can replicate them to an unlimited number of devices.