I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps copies of the keys to themselves, because of government request or for any other reason).
So I believe that for customers it'd be very valuable to be able to set their own key material.
However, Yubico argues that if they allow that, it would:
"undermine device attestation, which would likely disqualify those authenticators from high-security applications like financial institutions"
I'm not quite aware of the regulations in this area, and so, my main question is, whether that is true. I'm struggling to understand why by setting my own key material (and thus by improving my personal security), I would disqualify the authenticator being used.
Also, it looks a bit ironic since these days financial institutions tend to trust SMS and not U2F, even though SMS is anything but secure. I do hope that this is going to change someday though.
For reference, the discussion is happening here: WebAuthn recovery credentials extension