When U2F is widely used, there will be more social engineering tricks - like, visit this attacker website or download this tool/browser extension, put cursor in box, now please touch your key to verify your identity.
Countless creative ways will be tried and discovered.