MicrosoftTorsion-Limit , there is nothing that can fully protect all users, and overall these techniques are still a balance between security and user experience
Assuming the first factor is compromised:
- TOTP phishing is theoretically possible mainly in a "manual" mode. Meaning that the victim should be targeted and the attack itself can be performed in real-time.
- If we are talking about such targeted attacks, U2F is also not 100% secure - the attacker would only need physical access to the U2F key for a short time : the attacker will need to log in, enrol another key and put the original key back. Stealing a U2F key is harder that TOTP phishing, but this would give permanent access (whereas with TOTP they "need to Phish the TOTP code each time they logged in")
There are other (less common) aspects of U2F security to be aware of:
https://www.wired.com/story/chrome-yubikey-phishing-webusb/
- FIDO2 with biometrics is more secure and phish-proof (and Microsoft is moving that direction), but it has its own downsides.
Main being having to plug something to your USB port (which is disabled btw in many organizations), and this is something many users would like to avoid. It has its own risks as well
https://www.secsign.com/usb-authentication-keys-tokens-bad-idea/
