What is CryptoTokenExtension in Chromium extensions?

What is CryptoTokenExtension in Chromium extensions? It's not from Chrome Web store, and cannot be removed. Is it safe to use?

It is the extension that allows two-step verification between hardware. From the link:

Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.

It is supported by Google Chrome since version 38 and Opera since version 40. Firefox has an add-on for this. And Microsoft has plans to implement it. Dropbox, GitHub, GitLab and Bitbucket support it too.

Is it safe to use?

Well... the tool itself is there to protect you from misuse. But it all depends on how you treat your hardware I would say. On the other hands... it IS a tracking tool so Richard Stallman will disagree (strongly and furiously) (:))

It is part of Chromium and an extension shipped with Chromium.

Proof:

Searching for kmendfapggjehodndflmmgagdbamhnfd in the source code of all Debian packages

It shows up in multiple packages, including chromium and qtwebengine-opensource-src which is based on chromium, but also in others referencing it, e.g. here:

• chromium_83.0.4103.116-3.1/content/browser/webauth/webauth_request_security_checker.cc:

  constexpr char kCryptotokenOrigin[] =
     "chrome-extension://kmendfapggjehodndflmmgagdbamhnfd";
  // Returns AuthenticatorStatus::SUCCESS if the domain is valid and an error
  

• chromium_83.0.4103.116-3.1/content/browser/webauth/authenticator_impl_unittest.cc:

  constexpr char kTestRelyingPartyId[] = "google.com";
  constexpr char kCryptotokenOrigin[] =
     "chrome-extension://kmendfapggjehodndflmmgagdbamhnfd";
  constexpr char kTestExtensionOrigin[] =
     "chrome-extension://abcdefghijklmnopqrstuvwxyzabcdef";
  

• chromium_83.0.4103.116-3.1/chrome/browser/webauthn/chrome_authenticator_request_delegate.cc:

   // Don't override cryptotoken processing.
   constexpr char kCryptotokenOrigin[] =
       "chrome-extension://kmendfapggjehodndflmmgagdbamhnfd";
   if (caller_origin == url::Origin::Create(GURL(kCryptotokenOrigin))) {
     return base::nullopt;
  

It also doesn't look like any of these occurrences are a blacklist or something else negative.

Also learned from that search result: Multiple other packages, like e.g. libauthen-u2f-perl reference this ID as "The Chrome packaged app extension ID".

It seems as if that extension is not provided by some separate extension files as common with all 3rd party extensions, but it seems to be built-in into Chromium itself:

$ dgrep kmendfapggjehodndflmmgagdbamhnfd chromium chromium-common chromium-driver chromium-sandbox chromium-shell
Binary file /usr/lib/chromium/chromium matches
Binary file /usr/lib/chromium/chromium-shell matches
Binary file /usr/lib/chromium/chromium-shell matches

Actually I'm kinda surprised that even after four years (given the date of the original question), the Chromium developers neither seem to have managed nor found it appropriate to remove that "Not from Chrome Web Store" warning from chromium-internal extensions. It only is not as much highlighted as back then anymore.

P.S.: Ubuntu though builds there own chromium-browser package which is not based on Debian's chromium package. And since recently Ubuntu even ships it in one of these IMHO irksome and unnecessary snap packages. But the upstream source code still should be the same.