My main issue with attestation is that it's platform controlled instead of user-controlled and that it doesn't just bind a credential to a device, it binds an authentication mechanism to a category/subset of devices.
If the attestation part was separated from the manufacturer and it couldn't be used to identify who made the device or what brand the device was or what OS it was running, and instead was just a completely randomized device key with no other information with only the restriction that it was hardware-bound, would that be enough to meet your use case or would the user being able to update the OS/firmware still be a problem for you?
My problems with attestation in order:
1. Locking down the ability of the user to change the software/firmware.
2. Allowing the website to identify the device/manufacturer (and allowing them to restrict accounts to a subset of devices).
3. Not allowing the user to replicate/change the device/move the key.
But 1 and 2 are the biggest issues I have, if they went away then 3 wouldn't be as big of a deal to me. Not that I would be super-happy about it, I still don't think it would be a good idea, but... it's comparatively less of a problem.
I could imagine a version of this where you get one private key set on firmware/OS load for your device but it's completely random, and if you update the firmware and the integrity check fails the only thing that happens is that key changes to a new one and the old key is erased. So updating the firmware would invalidate the old login keys that were relying on attestation, but it would not make it possible for a site to block an un-Googled Android from making an account or to even know that you were using an Android/iOS device in the first place.
Again, I don't think that would be a good idea, I think it would be introducing a lot of foot-guns that shouldn't be exposed to ordinary users, but I don't think it would be nearly as much of a problem as saying "we guarantee this is one of X devices in this hardware batch, and that the OS hasn't been customized."
This would be great, but as it is, platform authenticators are effectively always a combination of trusted and untrusted hardware/software, since the TEE or Secure Element usually does not have user input/output capabilities and is relying to the application processor OS's integrity to some extent.
Notable exception: Google's Protected Confirmation [1] – the signature format of that is not natively WebAuthN/FIDO compatible, though.
If the attestation part was separated from the manufacturer and it couldn't be used to identify who made the device or what brand the device was or what OS it was running, and instead was just a completely randomized device key with no other information with only the restriction that it was hardware-bound, would that be enough to meet your use case or would the user being able to update the OS/firmware still be a problem for you?
My problems with attestation in order:
1. Locking down the ability of the user to change the software/firmware.
2. Allowing the website to identify the device/manufacturer (and allowing them to restrict accounts to a subset of devices).
3. Not allowing the user to replicate/change the device/move the key.
But 1 and 2 are the biggest issues I have, if they went away then 3 wouldn't be as big of a deal to me. Not that I would be super-happy about it, I still don't think it would be a good idea, but... it's comparatively less of a problem.
I could imagine a version of this where you get one private key set on firmware/OS load for your device but it's completely random, and if you update the firmware and the integrity check fails the only thing that happens is that key changes to a new one and the old key is erased. So updating the firmware would invalidate the old login keys that were relying on attestation, but it would not make it possible for a site to block an un-Googled Android from making an account or to even know that you were using an Android/iOS device in the first place.
Again, I don't think that would be a good idea, I think it would be introducing a lot of foot-guns that shouldn't be exposed to ordinary users, but I don't think it would be nearly as much of a problem as saying "we guarantee this is one of X devices in this hardware batch, and that the OS hasn't been customized."