How is that possible? Codes from authenticator apps I've seen are 6-digit decimal codes. I don't know much about how it works. But I can't see how this is immune from mitm. I pretend to $SERVICE and ask you for your authenticator code. If you fall for it, you'd give me the code, which I can use to impersonate you for the next 30 seconds.
Codes from those apps are typically TOTP: a deterministic output given a shared secret (e.g. from QR-code during the setup procedure) and current time interval, e.g. HMAC(shared-secret, time-interval) mod 10^6. This does not embed the domain. However, U2F is a completely different protocol that does: you'd typically insert a YubiKey in a USB port and tap a button on it when the browser sends "plz sign a request from login.bank.com" (+ other associated data) https://developers.yubico.com/U2F/Protocol_details/Overview....
(Note that most YubiKeys also support non-U2F modes, most commonly HOTP (HMAC(shared-secret, counter); counter +=1))
U2F/WebAuthn doesn't use six digit codes. You plug in USB key, press button on top of key, and browser does exchange with key and passes result to site.
The exchange between browser and key includes the domain of the site. It only works on the same site where registered the key.
AFAIK some websites allow you to use the previous TOTP code for convenience for some more seconds. That makes the total time to impersonate you to be 30 (or whatever was configured while issuing the TOTP secret) plus the grace period websites allow.
You misread that statement and the excerpt you copied completely changes its meaning if you remove the surrounding. Read it as:
"U2F/WebAuthn is secure because it does origin binding which is not phishable, unlike entering a TOTP or a code from your hardware token or authenticator app or SMS"
Putting the original parenthetical in between the start and end of the main clause definitely makes it easy to misread. I just moved the parenthetical to the end of the sentence.
I really wonder why typically the default policy is to convert a totp token to a longer lived token (keep browser authorized) defying the whole idea of totp. Used like this it seems like just two passwords or am I missing anything? Phishing seems really easy.
