The virtual authenticator extension provided in Chrome (virtual authenticators tab) is used for testing / debugging the FIDO2 Webauthn authentication mechanism without using physical authenticator keys. This is useful in automated testing e.g. via Selenium.
- Should it be allowed in the Production environment of the IAM provider?
- Is there any way to disable/disallow this registration in the production environment?
I tried to set up Google account 2-Step Verification using a virtual authenticator tab extension. But Google does not allow us to register a FIDO key from a virtual authenticators tab extension.
Short answer: you don't have to.
Long answer: the virtual authenticator implementation is specifically designed to discourage its use in production systems. The credentials are bound to a single frame (for the most part, this means a single tab), and are cleared as soon as the virtual environment is disabled or the tab closed.
The worst possible scenario would be a user locking themselves out, but they would have to be savvy enough to find the extension (or the new devtools panel on chrome 87) & set up the authenticator, while not realizing they can get locked out. We don't consider this a significant risk.
At the moment, Google is using the old U2F javascript API to register credentials, which is not supported by the virtual authenticators. This is why registration fails.