The FIDO U2F API uses a different entry point than the FIDO2 API, but otherwise is
similar, and behaves similarly. It's almost ready to wire-up, so let's wire it up.

Depends on D31636

Comment on attachment 9065718 [details]
Bug 1550625 - Refactor Android WebAuthn methods to use more GeckoBundles r?keeler

Revision D31636 was moved to bug 1552539. Setting attachment 9065718 [details] to obsolete.

Apparently the mechanism to do this is via the FIDO2 APIs in a fallback mode. I have not determined how that's achieved, yet.

After clarifying with Google, there's no API mechanism for Firefox to perform FIDO U2F JS API operations on Android. I'll need to disable the pref for Android so feature detection works properly.

Disabling in Bug 1552602.

To continue from Comment 5, the URL linked in this bug [0] provides an API for performing FIDO U2F, but has no mechanism to accept a web browser origin. Instead, origin is always set to something of the form android:apk-key-hash:<string>. This is similar to the not-privileged FIDO2 API (which we use for testing). Without being able to set the origin to an actual web origin, it's not suitable for websites generally. A website has to explicitly whitelist a given application, which wasn't meant for the general case, rather for in-house apps: https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website

Going back-and-forth with Google, they pointed out that WebAuthn has the AppIdExtension for backward compatibility with U2F sign, but there is no compatibility for the first step, register, which would make for a difficult-to-use implementation.

[0] https://developers.google.com/android/reference/com/google/android/gms/fido/u2f/api/common/RegisterRequestParams