I think we found out about it in October or November from a pre-release Chromium Edge user? I definitely was surprised to see as short a turnaround as 5-6 months, and if you're only hearing about it now I can't imagine the stress.

I was lucky to have some time to work on it and get it done before the holidays so I didn't have to worry too much. I wrote up a migration blog post and commented it here as well because I know I wanted that kind of resource when I was working on it, so if anyone needs that I hope it helps.

If you're using the U2F API you've been getting a warning about it since November. I can't imagine developers that are using it are still unaware at this point, particularly when it's a user-facing warning and not just buried in the developer tools.

3 months is not a long time at all.

It's three months to become aware of the problem, and maybe migrate. If you cannot complete the migration in the window you can opt into the deprecation trial and you'll have until around August.

Especially not across the Holiday period.

It's not, but as someone who has to deal with multi-year depreciations, setting the expectation that 3/4 month depreciations are something you'll have to deal with, is probably healthier for the ecosystem as a whole. It sets up positive incentives around automating testing and deployments. Anything that's valuable enough that you'd use u2f to auth to needs to be in this mode for general security updates regardless. Granted, moving to a new API is almost certainly more work than a normal security upgrade, but the point is that these types of websites are not something that you can set and forget. They need dedicated, ongoing maintenance.

The migration period since warnings is afully short (~3 month, over Christmas and new year too).

But as far as I understand you where supposed to start mitigating since WebAuthn was ready. Not sure when that was but it was quite a while ago.

The deprecation and accompanying warning was in November but Google publicly stated their intention to deprecate in November and remove at the end of February at least as far back as June.

Edit: The intent to deprecate and remove was sent to the blink-dev mailing list on June 11th. It can be found on row 2731 of the Blink Intents spreadsheet, https://bit.ly/blinkintents.

It's three months from notification until it's disabled by default. You can opt into the deprecation trial and you'll have until early August to migrate.

I have been hearing about this for a few months now since logging in to Vanguard (the brokerage) throws a Chrome warning about using the deprecated API. I don't think Vanguard has migrated yet.