Switch to Web Authentication (Webauthn) for 2FA for U2F and FIDO2 tokens

Description

U2F has been superseded by Web Authentication. Firefox has support for the new spec, and the latest version of Chrome does too. Firefox in particular will not be supporting U2F except behind a flag.

Proposal

Add support to the 2FA enrollment page for Web Authentication tokens.

We may need to support existing tokens in current U2F form, which looks possible in Webauthn. By moving to Webauthn we can leverage native browser support integration, we could support FIDO2 in the future and it's also possible to use existing hardware on the machine like a fingerprint reader to authenticate as "Built-in Sensor" vs "External token".

Links / references

• caniuse shows that Firefox current supports it in stable, and that the next stable releases of both Chrome and Edge will support the API as well.
• https://github.com/cedarcode/webauthn-ruby
• https://demo.yubico.com/webauthn
• https://webauthn.bin.coffee/

This post has an brief explanation of all the terminology involved. https://www.imperialviolet.org/2018/03/27/webauthn.html#all-the-different-terms

It includes the quote (emphasis mine):

The FIDO Javascript API is not the future, however. Instead, the W3C is defining an official Web Authentication standard for Security Keys, which is commonly called by its short name “webauthn”. This standard is significantly more capable (and significantly more complex) than the U2F API but, by the end of 2018, it is likely that all of Edge, Chrome, and Firefox will support it by default.