I'd like to add my thoughts on U2F security.
I've seen several big "hacks" happen, my initial investigation came up with no software holes, no 0-day exploits but what was interesting, each time the compromised systems seemed like the root was accessed when root access is not possible via any remote means other than sudo.
In all those cases the initial hack was social engineering. Someone would call the hosting provider, answer some questions on the phone and request for a new password in the management console/control panel. This worked for two hosting providers who did not verify the phone with a password over email, while another did so but the admin's email was also compromised.
I hope Linode's security team will think about ways to mitigate social engineering hacks and hopefully U2F will add an additional layer of security. We need to take hosting security seriously, like banks (who issue a number generator device) or like all major cryptocurrency exchanges of bitcoin (they require U2F for all big/corporate accounts).
I have faith in Linode's developers, in the past they have taken our requests and made them reality, like the CAA domain type.
_________________ I love my computer... all my friends live there.