Attestation.
A cryptographic statement from the authenticator about its origin and properties, used by relying parties to verify which authenticator created a credential.
The default for consumer CIAM should be attestation: "none", it preserves user privacy, reduces interoperability friction, and matches the W3C recommendation. Reach for direct attestation only when the deployment specifically requires verifying authenticator hardware (regulated workforce, government identity, hardware-attestation features like Beyond Identity).
Common questions
Should I require attestation in my deployment?
What's the difference between attestation types?
Does attestation identify the user?