In Firefox you can, and I do, tell the browser to refuse Attestation. There's a prompt during the enrolment process.

There's no reason why you should provide Attestation for the Web generally. It could make sense (though I'd argue it does not) for some specialised applications but generally it's probably a waste of your time (collating the necessary data to make it work) and your users time (now some stuff they want doesn't work and needs explicit authorisation).

Chrome also allows you to say no to Attestation requests.

The only place I've seen a 'legitimate' use for requesting an attestation cert is to ensure that only specialized FIPS hardware is allowed to be registered when that is a business obligation.

Attestation is an option in the FIDO ecosystem, and it is up to each website whether or not attestation is needed. Attestation is often required in enterprise settings. While consumer adoption of WebAuthn is incredibly low, the introduction of passkeys and multi-device credentials looks poised to change that.

For consumer scenarios, attestation is often not a requirement. In that case, FIDO offers the "none" and "self" attestation modes. None conveys no attestation. Self attestation involves a per-website key pair. Either of these modes are privacy and DIY friendly.

Well, cloudfare seems to be doing it to combat bots.

We actually managed to invent something even worse than passwords. Incredible.

Why are you so negative about this? It works pretty well as an authentication mechanism. Unlike passwords, it can't be leaked or phished.

As for Cloudflare use, it's an experimental hack. An option to avoid filling in a CAPTCHA in case you have a compatible hardware key. You don't have to have one, and you don't have to use it for this if you don't want to.

Most open source tools I've seen that implement FIDO use a shared Attestation cert[0].

[0]: https://github.com/github/SoftU2F/blob/master/SelfSignedCert...

> ... will likely mean you'll be generating that private key yourself, this makes you identifiable across registrations.

DIY/CLI apps have no reason to include a legitimate attestation - attestations are used to convey trust in the implementation, such as 'This is a Yubikey 5i'. The public key is usable to look up additional metadata, such as passing conformance and security implementation tests.

>Some sites (Cloudflare) may reject the use of attestation keys which are not found on the Fido Alliance Metadata Service. This precludes the use of any DIY solution.

The feature is meant for higher security environments (say workforce and government employee/contractor) to reject a home-grown implementation.

Cloudflare's (beta experiment) usage is a special case because they are using attestations to show that it is real hardware with a real financial cost. They are experimenting with using that as a replacement for captcha entering (while also experimenting with other technologies like privacypass to limit the number of times they ask for captchas).

The alternative to attestations in both of these use cases is that FIDO is not acceptable at all, not that a DIY implementation would become accepted.

Please note that verifying Metadata is optional for a RP (site owner) and very few sites need it. Without metadata information the privacy is improved.

Disclosure: We built an open source library and an API that makes it easy to add WebAuthn/Fido to your existing web app. It’s available at for those who want to take a look. https://www.passwordless.dev/

There is also a more configurable demo page for the library where you can turn metadata on/off (the api is default off)