OTP is regularly phishable, not requiring any webusb. Before this webusb attack, u2f was unphishable.