fix: remove support for U2F

[kewde]

Description

This PR deprecates U2F as supported protocol.

U2F is a technology that was hijacked by Ledger in 2016-2018 in order to achieve Web integrations of our devices. It was done at a time there was no other alternative and no way to communicate with "HID" or "WebUSB" technologies in a seemless manner.

In reality, this hasn't been useable for a long time since Chrome has deprecated U2F API for a while now..

Chrome has deprecated the Universal 2nd Factor (U2F) API, and will be removing it entirely with the Chrome v. 98 update in February 2022.

U2F has been a thorn in the eye of WebUSB and has been hampering the user experience for the web.

When HAVE_IO_U2F is enabled, it will also mangle the USB ProductID (PID). If you switch into the Ethereum application, the USB PID changes from 0x5011 to 0x5015 and the Chrome/Brave browser will identifiy it as a "different" device. This forces web developers to re-trigger the 'USB Pairing' screen.

Changes include

• Bugfix (non-breaking change that solves an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (change that is not backwards-compatible and/or changes current functionality)
• Tests
• Documentation
• Other (for changes that might not fit in any category)

Breaking changes

Disable U2F.

Additional comments

• BOLOS, Bitcoin and Solana apps both have a USB PID of 0x5011 and allow for smooth transitioning between them.

[xchapron-ledger]

@apaillier-ledger I think we already discussed about it.
And If I remember correctly, at that time U2F was needed for Metamask usage. Do we know if this is still true?

When HAVE_IO_U2F is enabled, it will also mangle the USB ProductID (PID). If you switch into the Ethereum application, the USB PID changes from 0x5011 to 0x5015 and the Chrome/Brave browser will identifiy it as a "different" device. This forces web developers to re-trigger the 'USB Pairing' screen.

Note that there is still a usb disconnexion / reconnexion when moving from an app to an another, even if there is no PID change (which might lead to a smooth handling from Chrome?). Though part of this behavior might change in future OS.

[kewde]

I just checked to see for any previous context, and I've seen one other attempt at removing this but not a lot of info there 😅 .

This is what I've been able to find for now:

• MetaMask browser extension uses WebHID
• MetaMask mobile does show signs of U2F but AFAIK it uses bluetooth

Note that there is still a usb disconnexion / reconnexion when moving from an app to an another,

I've noticed that as well, for now, it seems to be picking up the device cleanly as long as the PID is the same 👍

[apaillier-ledger]

U2F was left activated in order to work with Firefox which does not support WebHID (since it is not yet standard / still experimental).
However Firefox seems to have removed/changed something with the U2F support since version 114 and since then it has been broken and Metamask & Firefox teams have been pointing fingers at each other and nothing has been fixed.
Removing it from the app would mean that someone that has been happily using Metamask through an older version of Firefox would not be able to anymore. 🤔

[kewde]

I see, let's keep U2F then👍

I believe the latest firefox browser still supports it through config flags

Do you happen to know why the PID is being mutated based on which protocols it speaks? Is that standardized somewhere, I haven't seen any other USB devices do this 😄

Disabling U2F was just a means to an end, to get a stable PID with the other apps.

[apaillier-ledger]

Do you happen to know why the PID is being mutated based on which protocols it speaks? Is that standardized somewhere, I haven't seen any other USB devices do this 😄

I'm afraid I don't know the history behind this decision.

[cedelavergne-ledger]

U2F support will be removed in next release.
Closing.