Switch to Web Authentication (Webauthn) for 2FA for U2F and FIDO2 tokens
U2F has been superseded by Web Authentication. Firefox has support for the new spec, and the latest version of Chrome does too. Firefox in particular will not be supporting U2F except behind a flag.
Add support to the 2FA enrollment page for Web Authentication tokens.
We may need to support existing tokens in current U2F form, which looks possible in Webauthn. By moving to Webauthn we can leverage native browser support integration, we could support FIDO2 in the future and it's also possible to use existing hardware on the machine like a fingerprint reader to authenticate as "Built-in Sensor" vs "External token".
Links / references
- caniuse shows that Firefox current supports it in stable, and that the next stable releases of both Chrome and Edge will support the API as well.
This post has an brief explanation of all the terminology involved. https://www.imperialviolet.org/2018/03/27/webauthn.html#all-the-different-terms
It includes the quote (emphasis mine):