Re: I Don't Get It...
Having used a KEY-ID U2F device in linux for a few week now. I can say they are the way to go. You can have more than one key linked to an account, so do this. Thus you have spare keys, or a master key if your the admin for a host of services.
The protection that these offer is protection from remote theft of credentials. Someone has to press the button on the device. MITM is greatly mitigated too. I would suggest that a password would be better protection than a pin. That way if your unfortunate enough to loose your machine and key, you still have some protection. Each service that requests auth should also have some certificate chain to verify who they are the port and service or namespace (forgive my manglement of the correct jargon).
Just be aware that if you want them to authorise against google services, that you set your browser to forget cookies on close, or it will forever keep you logged in.
These aren't perfect, but they sure raise the bar for stealing remote accounts.
Biting the hand that feeds IT
