I read the federal government’s Zero-Trust Memo so you don’t have to

TOTP is not going anywhere for much of the Internet. Hold on while I get a Yuibikey to my dad who thinks "folders can't be in other folders" because that's not how they work in real life.

TOTP is a great security enhancement, and while phishable, considerably raises the bar for an attacker.

The fact that TOTP is mentioned as a bad practice in this document is an indicator that this should not be considered a general best practices guide. It is a valid best practice guide for a particular use case and particular user base.

the advantage of fido2/webauthn is actually biggest for non techies. tech people are the ones who won't fall for take bad phishing attempts. stopping malicious logins from fake sites is a massive win.

Yubikeys aren't the serious long-term alternative to TOTP; software keys embedded in phones are what we're going to end up with.

I want to disagree, but I can't, because you are right. Though perhaps as wearable tech grows(watches and what not), perhaps the keys will exist there also.

The document distinguishes between enterprise-facing and public-facing systems. For enterprise-facing (government employees, contractors, etc.), it's talking about discontinuing use of TOTP. For public-facing systems, it doesn't impose any restrictions, since (as you're saying) the general public really needs options.

I have a newbie question: Can't we embed a hardware key into a phone, and that'd be just as good as a Yubikey? Do we already do this, or is there a reason why we don't?

Laptops can have smart cards so there's no reason a phone couldn't