Why would a U2F key be more secured than an OTP device?
I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc... Which is great for a device like this.
First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the market is doing, I don’t get why it’s still considered more secured.
2FA means adding a second factor, which can be your mobile for SMS OTP, an OTP device (like RSA tokens), a USB key, and so on. Currently, almost all these solutions relies only on the fact that you own this object and nothing else (this is the case for Yubikeys and SMS OTPs), and app based OTPs now include an authentication to be launched, which makes it more secured. But without this authentication layer, a mobile is still less easy to lose than a tiny USB key. And why would a tiny USB key, advertised as being made to stay plugged in your computer forever makes it more secured at all?
I mean, if your laptop is stolen, and your thief happens to have your credentials, well, your smart card doesn’t authenticate you so it adds no security at all then, but so will be the app OTP as a thief could also have your pin code.
Anyway, seeing I find app based OTP more secured than key based today, which are more secured than portable always on tokens like RSA’s, not because of their design but because of how they’re used today. Am I right?
One of your main points is valid: if the USB key is stolen with your device, it may still be game over if other credentials are known. Personally, I am not concerned about loss or theft of the USB token, since it doesn't really weaken security if used as a second factor, plus access can be revoked and some features may require a PIN.
However, the USB token is superior to a phone in that it cannot be compromised remotely and have its secrets dumped. Also, FIDO2 provides a layer of protection against phishing attacks that OTP simply cannot provide.