> But hopefully someone else can comment on the security improvements of Soft U2F or if its more just building a standard rather than people having to rely on Authy or such.
The main difference is that U2F is phishing-resistant because it binds keys to the origin. TOTP, on the other hand, can still be phished.
(I believe Authy attempted to solve some of this with their browser extension for sites that use their first-party integration, rather than just for users using Authy as a generic TOTP app. I would generally avoid their first-party integration because of their reliance on SMS.)
The main difference is that U2F is phishing-resistant because it binds keys to the origin. TOTP, on the other hand, can still be phished.
(I believe Authy attempted to solve some of this with their browser extension for sites that use their first-party integration, rather than just for users using Authy as a generic TOTP app. I would generally avoid their first-party integration because of their reliance on SMS.)