I mean, it can, to some extent: By only accepting attestations from an opt-in list of devices that the scheme operator has validated to be sufficiently secure.

That approach has a lot of downsides, obviously.

Unfortunately, what I'm often seeing is a "worst of both worlds" type of solution: There is a list of trusted (used as a proxy for secure) devices, but it's generated in a pretty arbitrary way.

My government actually requires FIDO attestation in such a way, but for the longest time, the only trusted hardware authenticator was by a company I've never even heard of in this space – Yubico was not considered trusted.

> I mean, it can, to some extent: By only accepting attestations from an opt-in list of devices that the scheme operator has validated to be sufficiently secure.

> That approach has a lot of downsides, obviously.

Yes, the main one being that it doesn't scale at all, especially to an ID card level which is used in a whole country.

> My government actually requires FIDO attestation in such a way, but for the longest time, the only trusted hardware authenticator was by a company I've never even heard of in this space – Yubico was not considered trusted.

I'm not surprised much, governments are usually big fans of the not invented here syndrome and reinvent the wheel with paid consultants.

Exactly! Ironically, Yubico is Swedish, yet the only supported authenticator is from a Taiwanese company, so something must have gone wrong in the usual scheme of "regional economic stimulus by expensive government contract" :)

What smells really bad about it is that the only domestic reseller of that FIDO authenticator apparently is the government contractor that built the e-ID platform...