Also this though:

> Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too.

If you share the same FIDO U2F key between services, does that mean that one service could spoof tokens for a different service?

e.g. foo gets compromised, so attackers can generate codes for google apps.

No. There are no shared secrets. This is real asymmetric crypto.

You should go contribute patches to the browser of your choice. ;)