One countermeasure that can partially mitigate the attack is for service providers that offer key-based 2FA to use a feature baked into the U2F standard that counts the number of interactions a key has had with the provider’s servers. If a key reports a number that doesn’t match what’s stored on the server, the provider will have good reason to believe the key is a clone. A Google spokeswoman said the company has this feature.