> makes it more or less useless as a security measure
Define "security". This is incredibly useful for mitigating bearer token exfiltration which is the stated purpose. It's also the same way ssh keypairs work and those are clearly much more secure than passwords.
It's only "insecure" from the perspective of a service host who wants to exert control over end users.
Even webauthn leaves attestation as an optional thing. Even in the case that the service operator requires it, so long as they don't engage in vendor whitelisting you can create a snakeoil authority on the fly.
The main advantage this has over webauthn is that it is so much simpler.
Define "security". This is incredibly useful for mitigating bearer token exfiltration which is the stated purpose. It's also the same way ssh keypairs work and those are clearly much more secure than passwords.
It's only "insecure" from the perspective of a service host who wants to exert control over end users.
Even webauthn leaves attestation as an optional thing. Even in the case that the service operator requires it, so long as they don't engage in vendor whitelisting you can create a snakeoil authority on the fly.
The main advantage this has over webauthn is that it is so much simpler.