U2F support worked fine in initial tests, but we need some support to enable it selectively/gradually (based on an LDAP setting) as not everyone will have a token immediately. There's an upstream change pending for that. We'll also need some local tooling to keep track/revoke device IDs.
In addition this needs further infrastructure changes when using it in an HA setup (e.g. replication of device IDs)