[klodolph]

I think verification that the implementation is correct is easy enough, which implies that it is "strong", because these devices simply implement a spec.

What you might want to look at is things like hardware hardening or side channels. (Whether or not you consider this a matter of "correctness" can be argued, but here I would consider correct = implements correct algorithm.)

I think attacks against U2F devices are fairly difficult because you can't really use them as any kind of oracle, just due to the way the user interface works. But I am not a crypto expert, I just know how U2F works.