Have you heard of Toggl? It's a time tracker that integrates with your browser and let you click click click on Google Agenda meetings, JIRA tasks, GitHub PRs and hopefully most of the tools you use, to track how much time you spent on it. I've used it since 2017 and it was a game changer: helped me reduce multitasking, produce factual invoices when billing hourly, identify what ate all the time in my day...
I'm sure there are also other alternatives out there but Toggl is the only one I have experience with.
Awesome analysis, quite instructive. I am even considering adding it to my server performance tool, as a frontend performance metric, since I guess it could be easily automated. Imagine little README badges saying "quite bloated" and "pretty good" :p
If feeding this back to use as a general performance metric, you would have to be very careful to make sure you were measuring the same thing each time which for a complex application could be difficult unless you are only measuring on initial page load (which might not be as useful as you are hoping for). Without this control you would need a lot of results to make any average or other analysis of the metric meaningful.
For controlled tests run by yourself in dev (rather than a performance metric for your app in production) it could be useful though.
In the original U2F spec, I think there was an "answer" to this revocation issue: "enroll a second device for every origin, and keep this one in a safe". This way you can still connect even if you lose the first one.
There is no huge problem, just an interrogation over how this happened since the UI doesn't allow it and the documentation states this is not possible.
One important thing is to report the phishing attempt, both to the hosting providers involved and to the mail service used to send the emails.