> Or logging in to your bank without an iPhone or an android.
This is already possible (and common!) many banking apps, for better or worse, use device attestation features that require varyingly official copies of android. Were you already complaining about this?
Yes, "we" were, definitely. I already can't freely choose the OS that I have installed on my phone because I'm limited in the apps that I can install. For example many government ID and banking apps will refuse to work on GrapheneOS even though that OS is security-focused and will probably keep you safer than your regular Chinese Android flavor. But it's not sanctioned by a big international corporation so it's a no. Is your argument that we shouldn't complain since it is already happening somewhere ?
What's an "official" copy of Android ? AOSP is supposed to be open-source. "Official" means controlled by a multinational corporation. I'm very puzzled that the reaction to these entities gaining even more power, outside of democratic control, is met with a "oh it may me worse, it may be not" type of reaction.
Would you be ok if for example your government's website to pay your taxes mandated a device with attestation knowing you can only get one from Google, Apple or Microsoft ?
I am not unaware of the potential dangers of device attestation.
> Would you be ok if for example your government's website to pay your taxes mandated a device with attestation knowing you can only get one from Google, Apple or Microsoft ?
My point is this is already possible today. A lot of apps do it. An open attestation API means that, at least theoretically, systems not owned by one of those three providers could be used. Today you get, functionally, a signal of "this is blessed android or not". An alternative world where the device attests "I am grapheneOS" and it is up to the service to accept that attestation or not is strictly better than the ability today.
I'm not sure what your point is here. How credentials are stolen today is irrelevant to the fact that today, right now, at this very moment, banks can and do already do the thing you're worried will be possible only due to the prevalence of passkeys.
Oh my point is that their device attestation thing is security theater.
It's clearly just for getting that iso certification.
It's a power play by the platform vendors.
The vendors are literally saying:
We now have this "security" feature and banks have to use it to be compliant and it only works on our platforms, so I guess you have to use our platform unless you want to be unbanked.
I mean, I would agree that it's not a particularly useful thing for consumer-phone-bank usecases, but that doesn't mean the feature is bad (or harmful).
Just to be clear, no one is saying
> banks have to use it to be compliant
nor are they saying
> it only works on our platforms
As far as I know, if systems were to use attestation it would be in a lot of senses more open than what attestation is available today (in the sense that more devices could use it). But also I don't think anyone who works on passkeys is saying banks need to support FIDO attestation to be "compliant".
This is already possible (and common!) many banking apps, for better or worse, use device attestation features that require varyingly official copies of android. Were you already complaining about this?