1. website X (email, dmv, etc) wants to log you in.
2. it accepts only apple, microsoft and google as brokers. with direct attestation! because otherwise there's no way to prevent spam. ha!
3. you are redirect to these sites, they will required a DRM plugin to run native code after your browser and check the crypto module in your device (whatever is proprietary for apple or google phones, or a TPM device on windows and if you are very very very lucky, linux)
4. now you are redirect back to site x.
How attestation prevent spam? by leaking your identity via side channels:
"""
Generally speaking, attestation keys have associated attestation certificates, and those certificates chain to a root certificate that the service trusts. This is how the service establishes its trust in the authenticator’s attestation key.
"""
of course the spec sells you with misleading promises. About device ID "must be model, not serial number" etc... but none of that is part of the spec, and even if included in fido3, guess which parts apple and google will screw up or ignore?
This is to mislead critics at this early stage.
Basically, in the End, this will work:
1. website X (email, dmv, etc) wants to log you in.
2. it accepts only apple, microsoft and google as brokers. with direct attestation! because otherwise there's no way to prevent spam. ha!
3. you are redirect to these sites, they will required a DRM plugin to run native code after your browser and check the crypto module in your device (whatever is proprietary for apple or google phones, or a TPM device on windows and if you are very very very lucky, linux)
4. now you are redirect back to site x.
How attestation prevent spam? by leaking your identity via side channels:
""" Generally speaking, attestation keys have associated attestation certificates, and those certificates chain to a root certificate that the service trusts. This is how the service establishes its trust in the authenticator’s attestation key. """
https://fidoalliance.org/fido-technotes-the-truth-about-atte...
of course the spec sells you with misleading promises. About device ID "must be model, not serial number" etc... but none of that is part of the spec, and even if included in fido3, guess which parts apple and google will screw up or ignore?