Lots of incorrect information, FUD, and trolling on this subject on this forum. So, what is happening?
Executive Summary: Google/Chrome is deprecating the “U2F API” since it has been replaced by the “WebAuthn API”. It is NOT deprecating U2F functionality since it is supported by the “WebAuthn API” just the “U2F API” some early adopters based their original deployment on.
Details:
First, we need to understand the technology and terms a little bit better. FIDO protocols, like most, has a layered approach and many options. The FIDO architecture has 3 components: Server, Client, Authenticator. Think of the Server as the service hosting the Web page (i.e., URL). The Client could be an app or browser. The Authenticator can be a FIDO security key.
When a browser is involved in the Client it communicates with the Server thru its top layer is referred as the “xxx API” (e.g., U2F API, WebAuthn API) and with the Authenticator (i.e., FIDO security key) with the bottom layer what is now called the Client to Authenticator Protocol (CTAP). This can be seen in the picture at the link below from the FIDO Alliance website. Please note this picture was the state of the FIDO Platform/Browser Support in 2020, something has changed since.
[url][/
https://fidoalliance.org/fido2/fido2-we ... -webauthn/]
What is happening? Chrome is deprecating the U2F API. That is all. Services (e.g., Vanguard, Keeper Security) using U2F will still work with FIDO security keys but they must update to the new WebAuthn protocol since that is what the Clients (i.e., browsers) with be using.
https://developer.chrome.com/blog/deps- ... ryptotoken
Why did this happen? When U2F was developed and deployed it was state of the art and bleeding edge and supported by the U2F API in some browsers. The next development in this area with greater industry support was WebAuthn from the World Wide Web Consortium (W3C) which supported new options (CTAP2 sometimes referred to as FIDO2) along with the FIDO U2F. These services are supported by the WebAuthn API in browsers.
Why is Google/Chrome doing this? The U2F API project is no longer maintained and supported since WebAuthn is now the current state of the industry. This is a good thing, not Google “losing interest in things” but rather Google embracing the industry. Also, nobody should be using software not being supported so alerting us of this issue is a nice service.
Why are some websites having issue and other not? If you were an early support of U2F, like Vanguard and Keeper, then your original deployment was based on the U2F API. Late comers to the party had the advantage of starting with the WebAuthn API so there is no work to do. For instance, BoA started supported FDIO security keys, but I do not get this warning from their website.
Please note when trying to debug issues with FIDO security keys it is very important to understand what Platform (e.g., Windows, iOS, Android, macOS) the browser is being used on since not all functionality is supported on all Platforms for a browser.
I will repeat again: U2F is NOT being deprecating just the U2F API some early adopters based their original deployment on.
Will Vanguard and others get this done before the deadline? I do not know but one of the reasons they are in the position is they were an early adapter and although many of us think they did not implement it securely enough we should thank and support them for being on the edge.
Does Vanguard understand these issues? I have no idea, but I find it funny that we expect Vanguard’s customer support to have enough information to explain this to us when I am not sure many of us did either.
BTW FIDO2(WebAuthn/CTAP2 – passwordless) is a much more secure protocol then U2F and a “phish-proof” multi-factor authentication (MFA) technology. This is what Microsoft has been deploying.