U2F instead of password for “sudo mode”?

Some apps (Github being the most prominent IMHO) allow using U2F token as a means of validation for “sudo mode” (potentially dangerous actions in UI like creating a new token) instead of password.

Intuitively it seems not very safe as a stolen device will most probably still contain the U2F token. Am I missing something that makes it safe enough?