[Niten]

U2F would prevent this from being exploitable, but one-time password schemes like TOTP would not.

[RedPanda250]

Why would TOTP not suffice to prevent this exploit ?

[extrapickles]

They can use the TOTP token to auth themselves where as U2F will not work if you are the middle-man.

U2F basically[0] signs the current URI and HTTPS key and sends it back. If there is a man-in-middle then the signatures will not match and the auth will fail.

[0]: https://developers.yubico.com/U2F/Protocol_details/Overview....