Some of them do it in the most obvious sense (i.e. they have manufacturer-provided private key used to sign statements that mean "this enrollment has been processed by a u2f key produced by the manufacturer").
But fair point, if we define "remote attestation" as a mechanism that prevents the user from substituting parts of the system with self-developed replacements then unless the former is used _or_ the user uses a pre-enrolled u2f key, they can always use a software-emulated u2f key.
@retr0id@retr0.id @robryk@qoto.org there's "enterprise" attestation/signature scheme, but not sure what exactly that entails. But in general they shouldn't do.
@retr0id@retr0.id @robryk@qoto.org Alright, it seems like that's just adding an ability to track the usage of individual authenticators on websites, but it's supposed to be only possible on websites that have been programmed into the authenticator, so wouldn't really matter for the "consumer devices" part IMO.