Github's SMS or TOTP requirement for u2f use is a shame - why would you use u2f if you have already set up these? And if you want to use u2f because you don't trust your phone as a security device (hello Android users) - not good. Or maybe you don't want to mix your personal phone with work it infra, it's a bad equation there too.
I guess you could still use a software TOTP implementation on your workstation to fool Github, but then you are not getting the additional security from u2f because the totp codes are a substitute for the u2f token.
What if you just throw away the TOTP secret right after you get it and verify it on Github? You don't have to use your phone either. Just because you used TOTP to set up u2f on Github doesn't mean you have to store the TOTP secret indefinitely.
Yes, I guess you could navigate it this way. But clearly this is not something Github wants users to do, so I wonder if this way is bad somehow. Maybe there is no backup mechanism to recover from u2f token loss other than the old 2fa mechanisms, for example.
