We need a cookbook which removes a registered U2F token from the device database (so that it can get easily revoked if a device is stolen/lost/broken).
And once there's a cookbook we could also fold calling the current modify-mfa script into it (so simplify management for whoever's on SRE clinic duty). Maybe something like the following?
sre.idm.u2f [--enable|--disable|--reset-token] $USER