It's a form of two-factor authentication (2FA)
With the ones Bill and I mentioned, you have an app that is time-based and synced to another service and it generates a new code every 30 seconds or so. To log into GMail or other sites that support it, you need to have the device which is synced with the account. So basically nobody can do a dictionary attack on your account. Other methods of hacking and social engineering might succeed, but the dictionary attack is off the table. Even if someone gets my Google username and password, they can't access the account.
The Yubikey is similar, but it's a small USB chip that goes into your USB port (or communicates to your phone in some setups) and typically needs to be touched to send the second factor to the account.
The most common 2FA is an SMS message. The SMS system is fairly vulnerable, but the main reason it's not a preferred system for me is that I am almost always in places with no cell phone reception (notably, my home).
My workaround for places that only offer SMS (my registrar for instance) is a Google Voice number that they can send texts to, but obviously that's not a good way to protect your Google account.