Hello everyone. I've recently decided to strengthen my internet security and privacy. I've purchased U2F key to use it as 2nd factor wherever it's possible. What struck me, was that I can't use the physical key as the only second factor. I always have to enable soft-generated tokens first, only then I can register physical key(s) as an alternative. Disabling OTP disables MFA altogether. This is true for many websites as well as my password manager. Hence, my questions:
- Doesn't it nullify U2F's advantage if it's only an alternative to soft tokens?
- Is there a reason for such policy?