U2F prevents some vulnerabilities that TOTP alone can't. It's possible to replicate it in software instead of a hardware token, but so far nobody has. So if you're adopting 2FA, suggestion is to use U2F if you can.