That's a really interesting point. If this really does allow a web user to prove that a human interacted with the computer, it'd make for a really nice CAPTCHA replacement.

it doesn't do that, since there's no attestation.

Yes there is. The video covers this clearly.

Did you watch the video?

where he says it is "not included"? (because the Apple secure enclave does not attest keys.)

also where he falsely alludes to other attestations being identifying? sure, they can be, but they generally aren't.

From the server side, isn't this just a WebAuth integration?

How does the server know for sure if the client is on an iOS Safari browser on an iPhone with FaceID or a custom browser on any OS and any non-locked-down hardware being run with Selenium?

Attestation. If a website requests it, the device will provide cryptographic proof that you used a specific vendor’s device to store the resident credential. The proof is a certificate signed with a vendor’s secret attestation key.

Can't the key get stolen if it's on the client?

Yes, but it’s probably stored in the Secure Enclave, so it’ll be hard work.

Correct. The key material is stored in the Secure Enclave.

The question is more along the lines of: does this provide more security than passwords for real users?

Stealing a password is probably more easily done than stealing a private key that is never transmitted. The primary threat model is protecting the credentials of real users rather than protecting against fraudulent users (though some considerations have been made for that too).

It won't be the only sign in method unless the point is to only allow _that specific device_ to connect.