Attestation isn't a necessary requirement of an authentication token, and is inherently hostile to user freedom.
If some knobsite wants to insist on me using a "hardware authentication key" (similar to how many currently insist on using email/SMS codes), but I want to set it up so that secret is stored in my browser because that site isn't so important to me, setting my own security policy that directly contradicts their wishes should be my right. Their control shouldn't extend onto my own computers(s), with the demarcation point being the Internet itself.
If some knobsite wants to insist on me using a "hardware authentication key" (similar to how many currently insist on using email/SMS codes), but I want to set it up so that secret is stored in my browser because that site isn't so important to me, setting my own security policy that directly contradicts their wishes should be my right. Their control shouldn't extend onto my own computers(s), with the demarcation point being the Internet itself.