You can MITM OTP, but you can't MITM U2F. You can copy/steal the OTP secret from a phone app, but you can't copy/steal the U2F private key from a Yubikey (easily).
With Push MFA it's even easier, the sequence goes like this:
Crooks know Barry's password but Push MFA is needed to sign into his account and conduct some crime
Crooks somehow get Barry to go to a site they control believing it is for Work [there are a lot of ways to do this step, links in email, hijacking forgotten subdomains, typo squatting, the list goes on]
The site says "Hi Barry, we need to do Push MFA"
Crooks sign into Barry's real account with the password, causing a Push MFA to happen.
Barry was expecting Push MFA because the bogus site prompted saying it would happen so OKs it.
