Comment by altairprime

All valid points — however: the EU has two requirements not listed above it needs to be difficult to steal unnoticed, and it needs to minimize attempts to steal it at all.

They’re not concerned about a person handing their phone to someone else for a moment. They’re concerned about kids stealing age verification devices from people. Someone isn’t going to notice a missing yubikey until they check age next. Someone is going to miss their phone much more rapidly, be able to track it using stolen device features, and be able to report it stolen which incidentally remote kills HSM access. They can also enforce biometric checks and require a recertification after those change, which would make it nearly impossible — relative to shoulder surfing a PIN — for kids to make use of the parental device unit.

Even a fingerprint key isn’t going to meet these terms, and it’s going to have a weaker sensor that the kid will have hours or days or weeks to try and defeat using a fingerprinted glass and some glue. Locking it to biometrics stored in the phone prior to (re)certification makes it pointless for kids to try. A few still will, but word will spread.

I still personally think this is all kind of a hot mess of deferring parental authority to technology, but I’m not an EU citizen, nor a parent, so my opinion on the policy is irrelevant. I’m just here to raise awareness of why attestation is winning: technological superiority and unmatchable market fit, and an opposition that isn’t presenting coherent and most especially government-persuasive arguments to stop its use. Yubikeys are not a viable market fit in a world where tiny amoral thieves live among us — and whatever else children are to their parents, most of them have the moral integrity of a wet paper towel. Most wouldn’t think twice about lifting a yubikey, but they’ll hesitate strongly before stealing a parent’s phone, and it won’t even pay off doing so thanks to biometrics.