Hey, yes we are aware of this work. Parts of it (OTP extractions) have already been discussed in the forums as cited inside the paper. The U2F/FIDO2 side-channel attacks are quite sophisticated (laboratory level) and require physical (non-USB) access. The Nitrokey U2F is already deprecated and the Nitrokey FIDO2 will be in the not too far future. The Nitrokey 3 is the successor and does not come with these kind of vulnerabilities, therefore I do not expect that we will implement the proposed countermeasures. Our route from assembly to the customer is very short and localized therefore the described supply chain attack vectors are minimized due to our setup of the latter.