github & gitlab require you to register a TOTP authenticator app before you can enable U2F (presumably to avoid manual resets, although they don't say)

google's enhanced protection requires you to have 2 distinct yubikeys to sign up