When I use a service used for online authentication, I get an url to navigate to that will automatically open an app that is used for the passcode input.
The url is in this format:
bankid:///?autostarttoken=2a1b5e2c-c9fb-4402-1239-2a1619d655e9&redirect=null
The navigation to this kind of urls do only make sense on a mobile unit where a certain app is installed.
Nevertheless, desktop browsers (not everyone) also try to navigate to such an url, like it would ever be possible. That of course results in an error page.
Why do they do that?
Do I need to use a hidden form?
Will every mobile unit honor that?
The custom URL scheme is used to be able to start an application locally, in this case the BankID client which handles the 2FA.
This works nicely on both mobile and desktop, as long as the custom url scheme is registered. AFAIK for mobile, if the URL scheme is not registered locally, it will query the appstore and let the user install from there. The BankID is available for both iPhone and Android in the appstore. On Windows it also query the appstore, but the BankID client is not available as Windows App, so it has to be installed manually from https://install.bankid.com. On Mac I have no idea if it queries the app store, but I know it has to be installed manually from https://install.bankid.com
Android, iPhone, Windows Phone, Windows mobile, Windows XP and later, MacOSX all honors the custom URL scheme but it also need to be honored by the browser, which all the major browsers do.
Historically, before mobile, we used to start programs using the NSS plugin support in the browsers. NSS plugin support was removed by the browsers since it was easy to mis-use from a security point of view.
That's why the custom URL schemes are used.
As you can read about in the BankID relying party guidelines, there is a transition to use https://app.bankid.com links to start the client instead. Basically, that's just a custom url scheme similar to bankid:// but registers both protocol (https://) and host (app.bankid.com), which then starts the app. This has the added benefit that if a user who hasn't got the client installed and is not able to find the client via a appstore or similar, will get the web site available, which then can help the user to install the client.
As the idea of an applink is to let the user navigate to the website if the URL is not registered locally, don't hide the navigation.