I've started fiddling around with U2F and it's looking really promising. Got myself some security keys and started digging into it. I've managed to create a working register/login demo website which works well using the U2F tokens and the U2F Chrome extension.
However... and this is where my question arises: I've also enrolled a security key for my Google account and immediately got struck by the fact that it works without using the U2F Chrome extension. As a matter of fact I've done all the Google enrollment and logins without even having the extension installed. How is this possible? I've read (some of) the FIDO specifications and saw that there may be two API levels: high - which is the u2f namespace exposed by the extension and - and low - which involves using MessagePort API. Maybe this is how Google does it? (also tried doing a chrome.runtime.connect(...) myself, but the chrome.runtime object is undefined in my web page)
Any pointer in the proper direction would be appreciated and of great value at this moment, as there aren't many resources available on this young project called U2F.
Chrome is white listing Google domains. Non-Google domains has to use the extension for now. However, this will change "very soon" according to Google -- this is documented here and mentioned by a Google developer in this webinar.
Edit: The extension is no longer required with Chrome 41. You can test it out here (Note: When accessed from and older version of Chrome, or not via HTTPS, the site will fall back to using the extension).