U2F does not require SMS, and that's what it's designed to work around: problems inherent to "traditional" 2nd factor authentication. It does this by a secure connection from your browser (which does a challenge/response with your U2F token) to the server. You can connect your U2F token to your phone and auth on any network without SMS.
But U2F is really only a stopgap technology designed to provide a better mechanism than SMS or TOTP. There are still difficulties users will find with this mechanism that are problematic to secure or make less cumbersome, slowing adoption and security in general. And U2F still has several attacks that will work against it, making it somewhat trivial for malware to take over an account.
I envision a future where not only are there many factors we can use to authenticate, but that we might never need to "reset" our accounts again. That the majority of attacks on the user could end, and that servers will be more resilient to both general attacks and specifically data exfiltration. And that the data we use to secure accounts on the server can't be reused. An almost secure technological world.
This requires implementing strong security measures in all of the computers we use today. It also requires the adoption of universal multi-factor authentication methods, and a methodology to protect them from abuse by attackers. You can't get there by tacking more complicated mechanisms onto computers that are already not secure.
But U2F is really only a stopgap technology designed to provide a better mechanism than SMS or TOTP. There are still difficulties users will find with this mechanism that are problematic to secure or make less cumbersome, slowing adoption and security in general. And U2F still has several attacks that will work against it, making it somewhat trivial for malware to take over an account.
I envision a future where not only are there many factors we can use to authenticate, but that we might never need to "reset" our accounts again. That the majority of attacks on the user could end, and that servers will be more resilient to both general attacks and specifically data exfiltration. And that the data we use to secure accounts on the server can't be reused. An almost secure technological world.
This requires implementing strong security measures in all of the computers we use today. It also requires the adoption of universal multi-factor authentication methods, and a methodology to protect them from abuse by attackers. You can't get there by tacking more complicated mechanisms onto computers that are already not secure.