The reason you really should use U2F/WebAuthn is because it does origin binding which, unlike entering a TOTP, a code from your hardware token/authenticator app on your phone/SMS/etc is not phishable, i.e. you can't enter it by accident on and then have them enter it on real This is so because the U2F/WebAuthn security key signs a request, sent by your browser, which embeds the requesting page's domain, so a signature on will not pass's verification checks, whereas a code from your authentication app is trivially copied.