This (although good to hear - I would also be interested in a purely U2F 2FA setup for email) seems to only be concerned with security for the user's perspective. What about the security of the service itself from a more "backed" / overall perspective (those factors beyond the user's control)? As much as I dislike Gmail as a big brother it's hard to beat Google's security team.