They can use the TOTP token to auth themselves where as U2F will not work if you are the middle-man.
U2F basically[0] signs the current URI and HTTPS key and sends it back. If there is a man-in-middle then the signatures will not match and the auth will fail.