Yeah, Chromium is needed to add keys, which effectively means you can’t enable Advanced Protection without Chromium. I personally ran into this wall. I acknowledge that this sucks, as a person that intentionally only uses Firefox, but to be clear logging in and most other operations work absolutely fine with Advanced Protection.
Does it really disable all API access? I thought it only blocked certain OAuth scopes, but to be honest I haven’t really tried.
I was able to login to a NVIDIA Shield, but only by resetting and bootstrapping off a spare Android device (!!!) because U2F keys are broken on Shield. Interestingly, my Samsung TV remains signed into Youtube, which is kind of odd now that I think about it.
With that done, GitHub prompts me for my key. My Linux office workstation is missing the necessary udev rule, so I couldn't test more. (Funnily, pressing Cancel caused them to send me a SMS, so their 2FA is practically worthless).
I've run into strange interactions where adding a key is disabled in Firefox (even with the security.webauth.u2f flag set to true), but once one key is added, you can add subsequent keys no problem.
This is how Github worked for me - I think it's just a mis-match in the code checking for U2F functionality...
I think adding the key use a different mechanism - there are two JS interfaces for U2F, and FF only supports one of them.
TBH I've added my key to GitHub with chromium, but have since moved to FF; so that might be what you're seeing with GitHub.
Youtube/YoutubeTV seem to be walled off on 2nd factor auth. I've been able to log into both on browsers w/o 2nd factor and then get prompted when logging into web gmail.
Does it really disable all API access? I thought it only blocked certain OAuth scopes, but to be honest I haven’t really tried.
I was able to login to a NVIDIA Shield, but only by resetting and bootstrapping off a spare Android device (!!!) because U2F keys are broken on Shield. Interestingly, my Samsung TV remains signed into Youtube, which is kind of odd now that I think about it.