That only works for local authentication. Which is fine, the article is about login and sudo.
But there's a problem. If I had partial access and the first factor (password) I'd race the real admin's "sudo" for the U2F touch. Poll list of processes in a loop. If "sudo" was just started, ask for U2F before sudo has a chance. (e.g. by having a pre-started sudo paused in GDB).
U2F has its problems for non-web auth. Just look at how awkward the SSH patches are. (also not secure and/or anonymous (I forget), by the way. See mailing list threads)
But there's a problem. If I had partial access and the first factor (password) I'd race the real admin's "sudo" for the U2F touch. Poll list of processes in a loop. If "sudo" was just started, ask for U2F before sudo has a chance. (e.g. by having a pre-started sudo paused in GDB).
U2F has its problems for non-web auth. Just look at how awkward the SSH patches are. (also not secure and/or anonymous (I forget), by the way. See mailing list threads)