This is incorrect. Security Key is not just a one-way OTP generator. It is a bidirectional challenge response system. This requires explicit browser support to work.
The Yubikey website specifies that the device registers as a Keyboard, flash card, and flash reader when you plug it in. That said it isn't entirely clear if this new standard utilizes that or if that's merely provided as a fallback for older devices that don't support this new protocol.
Edit: After consulting the specification for this standard it does appear as if it uses the core USB specification to communicate with supported devices when using this protocol. There is also information stating that NFC, bluetooth and other transports will have specification provides later on but that they currently only have a spec for communication over USB. The takeaway appears to be that the Yubikey device can function as a 2FA over NFC or USB when in a sort of fallback mode that emulates a keyboard, but when used directly with this protocol can only support USB. It's possible there might be some driver shims that allow it to communicate over NFC while still appearing as a USB device to the browser, but that would of course require a custom driver be installed and most likely violates this standard in its current formulation.
The Yubikey website specifies that the device registers as
a Keyboard, flash card, and flash reader when you plug it
in.
Looking at [1] it seems they make a range of products; some of their products implement multiple standards, as well as multiple USB devices. The "Premium NEO" emulates a keyboard to provide OATH HOTP, emulates a smart card reader to support PIV, and emulates a "FIDO U2F HID device" to support FIDO.
On the other hand, their "FIDO U2F Special SECURITY KEY", which only supports FIDO, does not emulate a keyboard or smart card reader - it only supports "FIDO U2F HID device"
So presumably FIDO relies on special browser support to talk to the physical hardware, and implements HID but doesn't emulate a keyboard.
Per the FIDO spec they implement the protocol on top of the standard libUSB that's available as part of all current generation OSes. So yes, in a way, the OS does get involved, but only in so far as it treats it as yet another generic USB device. It's up to the application that implements the FIDO spec to send the proper commands over USB to interface with the HID device.
I do understand what they're saying, though. My bank also uses 2FA. You can type a challenge into a dongle, but you can also hook up the dongle. However, it needs a USB driver to work. Every OS update, it's uncertain whether it still works. I don't use it anymore because of that reason.
This stuff built into the browser makes it easier.
