[DorothySim]

Interesting design. As far as I understood from old papers client certificates are used only to identify the device while user authentication is handled differently.

Could you elaborate on the technical details on user authentication? (If that's not top-super-secret) I guess it's just like accounts.google.com for Enterprise with mandatory 2FA (username+password+U2F key?). Does it work the same on mobile/Android (U2F via NFC or codes)?

[weeks]

Android supports U2F via NFC and Bluetooth now, which is used for user authentication on Android devices. We've also released an (experimental?) iOS app to support U2F over Bluetooth.

https://itunes.apple.com/us/app/google-smart-lock/id11520663...