It would rock to be able to avoid having the Authenticator app, but I think “U2F plus a TOTP device” is pretty solidly better than “U2F plus SMS”, and this comment tree is suggesting that GitHub doesn’t allow for disabling SMS.
If you do U2F with 2 keys, TOTP, and throw away the TOTP secret after you activate it, you’re exposed to a slight additional risk because the TOTP secret is still stored by Github, but that’s radically better than a world where they mandate SMS.
True, I just amended my initial comment to reflect the fact that GitHub is not as bad as I made it look like, but the second class citizen point still stands, even if some workaround like "throw away the TOTP" is applied.
I agree with your overall point. I’m hopeful that bringing U2F/FIDO2 to iPhone will help continue to push these standards into being first-class citizens. Right now, I use TOTP for a ton of sites because I’m using an iPad Pro as my primary workstation, despite the fact that it has a USB-C port and I’ve got a pile of USB-C Yubikeys.
If you do U2F with 2 keys, TOTP, and throw away the TOTP secret after you activate it, you’re exposed to a slight additional risk because the TOTP secret is still stored by Github, but that’s radically better than a world where they mandate SMS.