The term is often confused with “assertion,” an operation that occurs during an authentication transaction. “Attestation,” rather, refers to something that happens when a user registers for a digital service. In that instance, a given FIDO authenticator will generate two keys – a public key and a private attestation key. The latter is linked to an attestation certificate, which is associated with a given device model, so that all Samsung Galaxy S9 devices, for example, would have the same attestation certificate. But each device using that certificate would link it to a key pair made during the initial registration with a digital service, allowing the service to see that a given device is indeed the registered one during future authentication transactions.
If that all sounds a bit complex, it is; and Powers’ post goes into some considerable detail in fully outlining the process. But the key takeaway is that this process offers both security and privacy to the user. A hacker can’t simply swap a public key with their own because their attestation signature wouldn’t match what’s required from a given service. Meanwhile, the fact that the attestation certificate is linked only to a device model means that an individual user’s device can’t be tracked using the attestation certificate.
It’s another example of the strength of FIDO’s authentication standards, which are being embraced by a growing number of digital services – and for good reason.