US government rolls out 2-step verification for .gov domain owners October 8, 2018 https://www.zdnet.com/article/us-government-rolls-out-2-step-verification-for-gov-domain-owners/
Surprisingly, our biggest agency doesn't even offer U2F along with these changes. They are using Google Authenticator, which is TOTP. Its better than no 2 factor by a long shot but far short of U2F. Next, most non-techie users will not even have a clue how to backup their QR/base 32 code in the event their cell is lost or broken. Without a backup code that will be a major hassle for the Admins dealing with all the "hand holding". I love TOTP in the hands of a techie, but NOT for uninformed users.