Require 2FA to remove U2F tokens
To increase account security, users should have to use a 2FA method to remove a U2F token. Currently, if you want to disable TOTP, you have to provide a valid OTP or recovery code, but U2F tokens can be removed at will. I should require entering TOTP, recovery code, or using a token before you can remove a token.
In addition, I should allow using a U2F token to disable TOTP; that is, when a user goes to disable TOTP, they can use a OTP, recovery code, or use a U2F token.
I think a good approach would be to have a form (like for chat logs, reports, etc.) with both TOTP, recovery code, and U2F, and just show whichever ones the user has enabled. I can then render it in a small view for TOTP and U2F.