WTH can't we use FIDO2 as 2FA?


TOTP is not safe anymore, please read:

Don’t forget to vote for your own topic

TOTP is not ‘unsafe’ and nothing has changed recently about this.
But it is not phishing resistant (whereas FIDO is) and the breaches you linked to in the article demonstrate this. This has always been a flaw in TOTP - its design is to prevent the utility of stored/leaked usernames+passwords.

FIDO2 would be of some benefit as a 2FA method however the implementation is the tricky bit as it will need a reliable URL as the RP for the credentials. For most - TOTP is likely still sufficient, it depends on which attacks and from whom you are trying to prevent.