Ideally, provide CTAP2 1FA, via FIDO2. However, U2F 2FA would be an improvement over TOTP 2FA, insofar as one remains able to have TOTP 2FA registered, when CTAP 1/2FA is (solely for use if CTAP authentication is not supported by the client).