The Qubes U2F Proxy is a secure proxy intended to make use of U2F two-factor authentication devices with web browsers without exposing the browser to the full USB stack, not unlike the USB keyboard and mouse proxies we’ve already implemented in Qubes. For even more protection, you can combine this with the Qubes firewall to ensure, for example, that the browser in your banking qube accesses only one website (your bank’s website). By configuring the Qubes firewall to prevent your banking qube from accessing any other websites, you reduce the risk of another website compromising the browser in an attempt to bypass U2F authentication.
The large number of possible combinations of Qubes version (3.2, 4.0), TemplateVM (Fedora 27, 28; Debian 8, 9), and browser (multiple Google Chrome versions, multiple Chromium versions, multiple Firefox versions) made it impractical for us to test every combination that users are likely to attempt with the Qubes U2F Proxy. In some cases, you may be the first person to try a particular combination. Consequently (and as with any new feature), users will inevitably encounter bugs. We ask for your patience and understanding in this regard.