In theory, logging-in with a registered token could be accomplished in a single step...
However the FIDO protocol adds an additional step...
What is the security rationale for the additional step?
Because there are several keys on the FIDO U2F device and anonymity/privacy is assured between different services.
Each time a user associates (enrollment/registration step) a FIDO U2F device (USB Token/Security Key or NFC Card or BLE device soon) with his online service account, a new key pair is created for this identity with a reference id (Key Handle), public key and key handle are sent and stored on server side. Key pairs (identities) are not shared between different online services (e.g. the key pair created for a Gmail account won't be used for a Facebook account).
Once a key pair is created, when the user sends his username and password (the authentication step), server checks which key handle(s) is/are already associated with this account and key handle(s) is/are sent with server challenge to the client (browser then FIDO U2F device) in order to ask for the right private key to be used for the signature.
Side Note: One FIDO U2F device can be associated with several online services accounts. One service account can be associated with several FIDO U2F devices.
Here is a quick FIDO U2F CHEAT SHEET I made to better understand registration and authentication steps because it is easy to get lost inside official FIDO U2F specification: http://www.neowave.fr/pdfs/FIDO-U2F-CHEAT-SHEET.pdf