Link to vendor-agnostic page for buying a security key

[iandunn]

The settings screen currently links to a Google article for information on buying a key:

two-factor/providers/class-two-factor-fido-u2f-admin.php

Line 208 in 90a86f7

<p><a href="https://support.google.com/accounts/answer/6103523"><?php esc_html_e( 'You can find FIDO U2F Security Key devices for sale from here.', 'two-factor' ); ?></a></p>

IMO, it'd be more appropriate to link to an independent page that describes multiple vendors. I don't have a good one off the top of my head, though; does anyone know of one?

U2F might go away per #423, but I'm assuming we'd want keep the language for FIDO2 keys (#232)

[iandunn]

https://fidoalliance.org/fido-certified-showcase/ might be a good one, but the number of options could be overwhelming for most folks. If we link there, we could add something like, "The most popular options from Yubikey, Titan, and Thetis" (or whatever vendors folks think are best).

https://www.nytimes.com/wirecutter/reviews/best-security-keys/ has lots of good info, but currently only recommends one vendor, which might be a little too skewed. It's at least an independent assessment, though.

[Clorith]

I agree that a provider-agnostic source should be used. I'm not sure if fidoalliance is the right one though (getting newsletter popups as soon as you open a page isn't a great user experience, and feels like shelling over user information to 3rd parties).

Is there any reason we couldn't have a HelpHub page about enhancing your account security, since this is a core plugin then linking to it from there, and to the teams 3 most preferred vendors would be acceptable I think, maybe wit ha footnote linking to fidoalliance with a disclaimer that, disclaimers don't fit so well within plugins in the same way they do in a dedicated document to a thing after all.

I'm thinking something like the following wireframe:

| content block |
| content block |
| key | key | key |
| fidoalliance |

Where the fidoalliance has texts such as

There are many alternatives when it comes to keys, and these are only a few of the well known and often used ones. The fidoalliance, an unaffiliated third-party, that sources information about security key vendors, may have options that fit better into your daily activities.

I don't think it's possible to avoid some personal bias when providing options (it could be as simple as "that one was listed first" even though they had the same information about them), but at least this way the X most common are shown on as equal footing as possible, they are what those working on the feature use them selves, and the resource for a third party with a larger selection is provided 🤔

[iandunn]

Yeah, I think that's a good idea 👍🏻

[kasparsd]

The FIDO U2F section will be removed in the next major release of the plugin #423 so I'm marking this as won't do.