Last month, the FIDO Alliance released specifications that attempt to remove passwords from authentication. A few years ago, Google was already "declaring war on passwords", even publishing an interesting article in IEEE Security and Privacy: Authentication at Scale. While some improvements have been made, like Google Authentication for 2-factor authentication, it does not appear to be widely implemented.
|UAF and U2F process graphic from the FIDO Alliance|
A site or browser prepared to accept FIDO authentication can/will offer a user the option if a FIDO device is present. The first time a device is identified, a user will be offered the option to register their FIDO authenticator and use it. Subsequently, the registered device is automatically detected at the site and the user is presented with options for authentication, until/unless the user opts in or out. Please note that FIDO authentication is entirely device-centric. The authentication exchange occurs only between the FIDO device and the authenticating FIDO server, and the exchange is only in crypto.1
Though a U2F device may store a password (really, it can be a 4-digit PIN) as a fallback for a user to unlock their own device locally (to effect changes, for example), this application can use a very simple, fixed password or code. In this way, the U2F PIN is not at all like OTP. The PIN available to a U2F user never needs to change, because it never does anything but allow a user to unlock the device locally. The PIN is only relevant to the FIDO device, so there is never the need to share to a server or a network, such as OTP must do. It has no value to a hacker, because it is meaningless to the server.1
1 Clarification provided by Suzanne Matick↩