Comment by Tharre
> Guarantee? Not by law but it will be hard for them to take that away.
Last year they removed the ability to register[0] yubikey FIDO2 tokens affected by the EUCLEAK 'vulnerability', despite it not posing any security risk even by their own admission, and nobody seems to have cared. The whole thing screams security theater, they require the much more expensive FIDO2 Level 2 keys for no reason (which limited you to just Trustkeys at the time after yubikeys got banned) while their own sites crashes[1] if you give it a secure password.
At the end of the day, if not it's required by law the only other guarantee you have is a broad userbase that will complain if it's taken away and at least at the moment it's clear that no such userbase exists.
[0] https://www.a-trust.at/de/%C3%BCber_uns/newsbereich/20240905...
You don't have to tell me, I absolutely hate that passkeys support attestation. But there is pressure to support a non smartphone based sign in, and it does exist.