> but for login TOTP is better then anything else. i can put it on arduino with small oled board and have it in safe/vault offline. and there is no way for attacker to MITM

There totally is! How do you know you're entering the TOTP on a legitimate website?

WebAuthN prevents that, both by not letting you use a given key on the wrong website, and by including the origin in the signature generated using the key which the relying party can then check for plausibility.