Only needing one means you have the "lowest common denominator" of 2FA. E.g. authenticator apps are vulnerable to phishing, while FIDO keys are not. Adding FIDO key as an optional second factor doesn't really add much security if people can still be phished using a MITM attack using the authenticator TOTP.