Yeah, I mean if the goal is the "enterprise" solution, which is usually the solution where the setup, as well as the risk and damages of a break-in, can be shouldered to another company, then yeah RSA is usually the answer. I was primarily referring to the cryptographic security. Yes, RSA does avoid the transfer of plaintext secrets over the network, but instead you are placing your trust in RSA as a company to not have stored the secrets elsewhere (which, in most cases, is probably just fine).
The advantage of U2F is that it uses an asymmetric scheme where a keypair is generated for each authentication endpoint, so the secrets never leave the hardware token in the first place. Compared to RSA SecurID, you would need to have a really severe threat scenario such that you can't even trust RSA with your keys. Of course, U2F is also a much more complicated protocol than say TOTP, and has not existed long enough to stand the cryptographic test of time.
To answer your second question, I'm not sure I understand what you mean. TOTP (Google Authenticator), RSA SecurID, and U2F are all different types of 2FA. They could all be combined with Kerberos if that is what you want.
The advantage of U2F is that it uses an asymmetric scheme where a keypair is generated for each authentication endpoint, so the secrets never leave the hardware token in the first place. Compared to RSA SecurID, you would need to have a really severe threat scenario such that you can't even trust RSA with your keys. Of course, U2F is also a much more complicated protocol than say TOTP, and has not existed long enough to stand the cryptographic test of time.
To answer your second question, I'm not sure I understand what you mean. TOTP (Google Authenticator), RSA SecurID, and U2F are all different types of 2FA. They could all be combined with Kerberos if that is what you want.