fido2 | source FIDO server , featuring the FIDO2 standard | Authentication library

You could filter the object with a check of the properties.

So: it is true Security keys are now supported for SSH Git operations , as announced early this month (May 2021) on GitHub, but, as discussed here, there are still issues.

Your error message looks like a bug in progress on Debian: "issue 980393: /usr/bin/ssh-keygen -t ecdsa-sk fails with "Key enrollment failed: invalid format"".
And it is still being reported this month.

If this fails also with -t ecdsa, try and using a plugin for OpenSSH to connect to FIDO/U2F security keys through native Windows Hello APIs might help.
Type export SSH_SK_HELPER=/usr/lib/ssh/ssh-sk-helper.exe first, as seen in tavrez/openssh-sk-winhello issue 1.
Check your OpenSSH version is at least 8.2. It is on my side with the latest Git for Windows:

You can easily achieve this result using reduce.

When this JSON was built, it is inserting the enum numerical value rather than the string value. For example, in the pubKeyCredParams all of the type value should be "public-key", not 0, attestation should be "none" instead of 0, and userVerification should be "preferred", not 1. All are defined as DOMString in the spec https://www.w3.org/TR/webauthn/.

There may be other issues, but the biggest problem is that you are attempting to verify the signature against the hash of the clientDataJSON. It should actually be the binary concatenation of authenticatorData and the hashed clientDataJSON.

From https://www.w3.org/TR/webauthn/#sctn-verifying-assertion, step 20:

"Using credentialPublicKey, verify that sig is a valid signature over the binary concatenation of authData and hash."

Given what you have, something like this should work:

Is there any way to disable/disallow this registration in the production environment?

Short answer: you don't have to.

Long answer: the virtual authenticator implementation is specifically designed to discourage its use in production systems. The credentials are bound to a single frame (for the most part, this means a single tab), and are cleared as soon as the virtual environment is disabled or the tab closed.

The worst possible scenario would be a user locking themselves out, but they would have to be savvy enough to find the extension (or the new devtools panel on chrome 87) & set up the authenticator, while not realizing they can get locked out. We don't consider this a significant risk.

I tried to set up Google account 2-Step Verification using a virtual authenticator tab extension. But Google does not allow us to register a FIDO key from a virtual authenticators tab extension.

At the moment, Google is using the old U2F javascript API to register credentials, which is not supported by the virtual authenticators. This is why registration fails.

isUserVerifyingPlatformAuthenticatorAvailable() returns a Promise of boolean so your code should look more like:

After lengthy study of the C++ code of the Mozilla Browser I think I found the problem. It was in the size field of the COSE_PARAMS structure.

WebAuthn is a standard for browsers, which means it can only be implemented in browsers as of today. On Android, it's indeed restricted to the browser of ChromeCustomTabs. On iOS, it may be allowed in internal webviews - but still in a web component.

There is no way to have it working with the native UI, especially because WebAuthn authentication is bound to an URI (which there isn't in a native mobile application UI).

WebAuthn and OAuth2 are not related. OAuth2 is a API access control protocol: you first get tokens on the authorization server using a web flow (except in some special cases), which typically involves an authentication and authorization process, and then consume these access tokens on an API that verifies them. WebAuthn is an authentication scheme: after initial enrolment, a user can authenticate with an authenticator without presenting a password.

The only way these two things are related is that WebAuthn can be used as an authentication scheme in the OAuth2 authentication process (instead of a password, an OTP sent by email or SMS, a push notification...).

If you want to have single authentication process between your native application and some of your web applications on the same mobile device, the way to go is to have a unique, central authentication service which will deal with authentication and SSO (Single Sign-On). It prevents a user from having multiple accounts, registration and authentication processes.

To do that, your native mobile application has to use it too - and therefore use web authentication. AppAuth is a library that allows doing such a thing, and uses the OAuth2 protocol (and therefore provides with OAuth2 access tokens, to access APIs). Since your native application has no data within itself, but needs to retrieve data somewhere (probably an API), that might be what you want. But you can't achieve SSO with fragments as far as I know, because any non-ChromeCustomeTab component will not share cookies outside of the application.