Okay, so obviously U2F won't work because it's secp256r1, however UAF (similar fido alliance scheme, but for auth instead of 2-factor) uses secp256k1! This actually makes more sense, semantically, than U2F.

Apparently the challenge can be anything up to a sha516 hash in length, so signing bitcoin transactions should not be a problem. Unfortunately the FIDO spec uses nonces, which will fuck up the signature. I'm not good enough at cryptography or the inner workings of bitcoin to know if this can be circumvented somehow...

Obviously the hardware wallet makers should spearhead their own scheme for this somehow, but it would be cool to find a solution within the FIDO spec, since it is a bit more broad and endorsed by Google among others.

Any thoughts on if it's even possible to sign the hash with a nonce somehow?