They can use the TOTP token to auth themselves where as U2F will not work if you are the middle-man.
U2F basically[0] signs the current URI and HTTPS key and sends it back. If there is a man-in-middle then the signatures will not match and the auth will fail.
U2F basically[0] signs the current URI and HTTPS key and sends it back. If there is a man-in-middle then the signatures will not match and the auth will fail.
[0]: https://developers.yubico.com/U2F/Protocol_details/Overview....