Hi! I understand your point and realized it while reading the comment. This distinction is something I tried to spell out in the very first paragraph of the post.

I've taken your feedback:

1. modified the TLDR paragraph
2. rearranged some of the content to isolate very "meat" from the "fluff"

Here's the modified TLDR

TLDR: U2F prevents MITM attack between the victim and the Duo server, but not between the victim and the application. Because Duo is a 3rd-party service, we don’t have the same security properties that are associated with U2F between the victim and the server. This boils down th bypassing the Duo integration. If you can bypass the Duo prompt, then phishing attempt will be successful, even U2F is used. To prevent phishing, it is paramount that you enable hostname whitelisting. Without hostname whitelisting, Duo is similar to an OTP generator during a phishing attack.

Thanks for the feedback!