[microtonal]

Yubikeys in U2F mode are better than any OTP because they protect you against phishing attacks. 1Password auto-filling arguably has this property too,

Not really. The TOTP RFC recommends accepting TOTP tokens from before and after the current time step to make TOTP work with clock drift. Since most implementations use time steps of 30 seconds an allow TOTP codes of at least one past and one future time step, the window in which an TOTP code can be used is typically 90 seconds.

Consequently, TOTP only works against 'offline phishing' where a phisher collects data first and tries to take over the accounts later. For any kind of immediate phising, there is typically no problem to forward re-use the token, even with a small delay.

As you say, U2F protects against this, by using challenge-reponse and using the origin selecting the key handle.

[rthille]

I don't understand the start-off of "not really". Is that in reference to the first sentence or the 2nd? I think the "1Password-autofill" protects you against phishing because if you go to a legit site, the domain will match and 1Password will autofill. If you go to a phishing site that just looks right (Unicode domain, whatever), but doesn't match exactly then the auto-fill won't happen and you'll be tipped off.