Currently, paid users get better security in the form of more 2FA options including U2F.
I hereby suggest that paid users should get plenty of additional functionality, but NOT better security, than free users.
It’s hard enough to get people to follow good security practices, without making it even harder by requiring them to be paid users.
Note I’m not arguing that paid users should not get more. They get a lot more. But it should never be a requirement to become a paid user to get the security of U2F.
Paid users should get more storage, larger secure notes, ask before losing new data, and many other things. But please do not compromise on security for free users. Give free users even less storage and even smaller secure notes than they get now if you wish, but not worse security.
In the old days, many service providers offered SSL connections only to non-free users. Then eventually everybody came to realize that security should be considered a necessity, not a luxury. Google led the way to https everywhere, and others quickly followed.
Now it’s time we applied that same principle everywhere else. U2F should be considered as much of a necessity as SSL already is.
I don’t see a problem if the vendor of a proprietary 2FA protocol requires payment from a service provider like Bitwarden. But I think most of the proprietary 2FA protocols don’t require any such payment, and if so, they should be available for free users.