To be clear, U2F is a FIDO protocol, and FIDO2 is a new set of FIDO protocols that supersedes U2F. You cannot have both U2F and FIDO2 installed at the same time, because they are mutually exclusive. They both use the same AID when selecting the application on chip, so you simply cannot have both installed at the same time.
When it comes to OTP, we must understand that “OTP” is a heavily abused term that means different things in different contexts. In generael it means One Time Password, but when we say OTP we typically mean TOTP.
OATH-TOTP / OATH-HOTP
• OATH-TOTP = Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238
• OATH-HOTP = HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC adopted as Internet Engineering Task Force (IETF) standard RFC 4226.
The key generates a 6 or 8 character OTP (or one-time password) for logging into any service that supports either TOTP or HOTP.
The difference between TOTP and HOTP is the former is time based, meaning a new password is generated at a set time interval, typically every 30 seconds. The latter is counter based, meaning a new one-time password is generated for each event.
YubiKeys
Yubico is a slightly different beast. Yubico has different USB interfaces, and each one of them supports one or multiple modes/protocols.
-
FIDO: This interface only supports the U2F or FIDO2 protocol.
-
OTP: This interface has 2 slots (short-press and long-press). Each one of them can be configured and used as: OATH-HOTP, Yubico OTP, Challenge-Response or Static password. By default, Yubico OTP is preconfigured in the first slot.
-
CCID: This is the interface allowing the key to act as a Smart Card. It supports up to 32 OATH-TOTP/OATH-HOTP codes, PIV and OpenPGP.
Yubico OTP
This is a proprietary protocol created by YubiKey. As part of the process of manufacturing every YubiKey, a Yubico OTP credential is programmed into slot 1, and its information is also transferred to YubiCloud. Yubico OTP generates a long rotating password which is only possible to validate online using YubiCloud (Yubico’s validation service), or by implementing a locally hosted validation server via YubicoLabs. This is the weird string you will get if you touch your YubiKey when focused on a text input.
VivoKey HMAC-SHA1
The Yubico OTP password output is based on HMAC key hashing RFC 2104. The VivoKey HMAC-SHA1 applet supports this type of key hash output, and has two separate key slots available. However, the HMAC-SHA1 applet is not necessarily directly compatible with Yubico OTP.