Got a bit of time to test, and it works…
So:
- needed only once, Firefox (Desktop), setup
about:config security.webauth.webauthn_enable_usbtokenset tofalsesecurity.webauth.webauthn_enable_softtokenset totrue- check it, go to https://webauthn.bin.coffee/ press Create, if you get a green background and a bunch of text it’s ok
- read Turn on 2-Step Verification - Android - Google Account Help
- follow steps, select “physical key”, follow prompts
- it should just pass
- go back to Security, enter 2-step verification, scroll to Authenticator
- get FreeOTP+ (I tested this) or other and scan the QR code to setup
- go back, go to Security (physical) key, remove it (so it does not depend on this Firefox instance, eg. doing this in Private mode will destroy the virtual usb token lol)
- save backup codes, put them somewhere safe
Great, now, go back to Security, App passwords, set as many as you want. I tested with Fairemail from F-Droid and Thunderbird and they work fine.
/PS: revert the Firefox settings too