Here is a summary of questions on using U2F w/ a Yubikey only to login to a Google account that is hopefully helpful to others:
U2F uses challenge reponse. The docs rely on sys-usb; if not present and sys-net handles USB, then installation is not possible, right?
Yubikey Challenge-Response installation is a pre-requisite to using U2F, right? It is not usufficient to install drivers only and avoid a full stack implementation.
if sys-usb has to be post-installed, is it possible to be set to only take responsibility of the Yubikey and let wireless keyboards and mice handled otherwise be handlet by sys-net? How to specifiy an individual USB port to be handled by sys-usb?
if it is not desired to have sys-usb which are to steps to quickly set up a Yubikey for use w/ U2F to login to a Google account?
Nope, it “just works” once you have split-u2f installed according to howto. Yubikey usage is somewhat confusing because it is actually four devices in one:
webauthn token, aka u2f. it is what is used by google and what you configure with split-u2f configuration
proprietary authentication system which includes OTP and challenge-response mode which may be used for login and screensaver and some other stuff
pkcs11 certificate storage, I wrote a tutorial on how to use split-pkcs11 in Qubes
OpenPGP-compatible smartcard (yes, it is another API different from pkcs#11!) to store your gpg keys which may be used with split-gpg
Very good explanation! Just one more question: webauthn token or u2f does not use challenge-response?
Here is the solution to the above question if U2F proxy | Qubes OS is sufficient: yes, you are right, it is. I merely had the entry field not activated i.e. not clicked into it before inserting the Yubikey which acts like a keyboard, then all works as expected.