If say my Gmail is configured to trust my awesome Darth Vader bobble head authenticator, the tiny one I keep on my keychain and one that's in my locked desk drawer with my cyanide pills and then I lose my keys somehow, I go home, use the Darth Vader to sign in, click for the account credentials page, pick the keychain one and pick remove. I can add another one when I buy it, using the ordinary enrollment step.
No new API needed or desired.
The trick to U2F and this whole family of technologies is that the devices are really dumb, your authenticator doesn't remember "I'm allowed to authenticate to Google, I picked this key" it just turns google.com into a number and uses that with some crypto arithmetic. If you never actually enrolled with Google, the results are worthless but it has no idea. If I try to sign into Mike's account with Sarah's authenticator, it doesn't work but there's no clue why. The authenticator doesn't even know it's Sarah's.
If say my Gmail is configured to trust my awesome Darth Vader bobble head authenticator, the tiny one I keep on my keychain and one that's in my locked desk drawer with my cyanide pills and then I lose my keys somehow, I go home, use the Darth Vader to sign in, click for the account credentials page, pick the keychain one and pick remove. I can add another one when I buy it, using the ordinary enrollment step.
No new API needed or desired.
The trick to U2F and this whole family of technologies is that the devices are really dumb, your authenticator doesn't remember "I'm allowed to authenticate to Google, I picked this key" it just turns google.com into a number and uses that with some crypto arithmetic. If you never actually enrolled with Google, the results are worthless but it has no idea. If I try to sign into Mike's account with Sarah's authenticator, it doesn't work but there's no clue why. The authenticator doesn't even know it's Sarah's.