My Proposal
Ideally, provide CTAP2 1FA, via FIDO2. However, U2F 2FA would be an improvement over TOTP 2FA, insofar as one remains able to have TOTP 2FA registered, when CTAP 1/2FA is (solely for use if CTAP authentication is not supported by the client).
My Rationale
FIDO2 1/2FA provides a significantly quicker authentication process, and provides significantly less chance of phishing, since the user cannot be convinced to enter a credential (although TOTP mostly solves that, too). However, TOTP doesn't provide secure 1FA.
My Proposal
Ideally, provide CTAP2 1FA, via FIDO2. However, U2F 2FA would be an improvement over TOTP 2FA, insofar as one remains able to have TOTP 2FA registered, when CTAP 1/2FA is (solely for use if CTAP authentication is not supported by the client).
My Rationale
FIDO2 1/2FA provides a significantly quicker authentication process, and provides significantly less chance of phishing, since the user cannot be convinced to enter a credential (although TOTP mostly solves that, too). However, TOTP doesn't provide secure 1FA.