[tjohns]

A Yubikey can be run either in TOTP mode, in U2F mode, or as a generic smartcard. (Or a combination of the above.) It's configurable.

I use a Yubikey that's configured both as a U2F token for Google, as well as a smartcard for PGP/SSH use.

And their core, the construction of a Yubikey, smartcard, and HSM are very similar. The core idea is that you have physically secure memory guarded by a dedicated cryptoprocessor, so that your secrets never have to be exposed to the host OS when performing a signing operation.