Apple is already shipping remote attestation in Safari in the form of Private Access Tokens (https://developer.apple.com/news/?id=huqjyh7k), though Cloudflare's trial for that has ended. Safari authenticates and attests itself against Apple, who hands out tokens to your browser, which in turn get used to bypass CAPTCHAs and other anti spam filters.

There's no direct remote attestation implementation for passkeys yet, but remote attestation for web browsers has been around for a few years now.

> remote attestation for web browsers has been around for a few years now.

May it always remain niche.

A world in which open source browsers are unusable for most people and new entries to the browser market are all but impossible sounds terrible.

there is no contradiction between open-source and attestation

linux is open-source and a very common attestation target

Ask anyone who has tried to run banking apps on GrapheneOS how that works out in practice.

GrapheneOS supports attestation. GrapheneOS even provides the sort of security guarantees that would make risk management types at banks happy, but it isn't popular enough for them to be motivated to support it as an attestation target.

Now imagine it was practical for websites to require attestation from browsers. How likely do you think it that all the major services would accept anything other than Chrome, Safari, and Edge?