How does it "allow a malicious website to obtain valid credentials." – WebAuthn
I’m not entirely convinced of the importance of verifying the authenticator attestation, and I’ve asked a question about it, I’m open to it, and if you want, you can post an answer at that question, but this one is specifically about "…