The alternative right now is people using the same pot password everywhere, and/or writing it down on post it noted next to their computer. We need far better solutions for the majority.
I dearly wish that security keys (Yubikey etc) were cheaper. The average person needs two keys so that they can store one as a backup. The average person needs keys that support NFC (or similar) so that they can easily use one across multiple devices. But the average person is not going to pay $50 for a pair of keys, regardless of the security or convenience benefit. It's not until you hit the $5/key range that people will use them without being strongly deterred by the cost.
Even if every service supported it, ~$50 is a tough sell. For half of the population in the US, that's a minimum of 3 hours of work! Anything short of an "impulse buy" price is too much for most people, given the nebulous security/convenience benefit. But have them cheap enough to be sold at a discount store? That's enough to make it palatable. It's enough that tech folks can recommend them to virtually anyone without reservation.
At the current price, it's hard to recommend them to people I know. Even to those who still suffer in a world of post-it notes, reused passwords, and unclear knowledge of which device they own has saved what. The sort who live by the "forgot your password?" link. I've recommended password managers to them, but the recomendee is usually put off by the hassle of installing one and creating an account. Oddly enough, this hassle comes off as more surmountable if it's part of making a physical object work properly. There's something about the sunk cost of having already spent money, the natural value associated with a physical object, and the sense that they've already begun the process that makes the hurdle feel smaller.
Surely hardware keys (like Yubikey) are the easiest security factor to use? Nothing to remember, and it works just like a physical key, so nothing much to learn.
Post it notes at home aren't so bad. It is not like you couldn't steal a phone if you have physical access. Maybe finger print is bit hard, but learning pass code or using face unlock when person is sleeping...
Post its at home can be stolen, or photographed, while I'm out of the house. My phone plus my face? Without me noticing either? Not as easy.
I still keep printed one-time recovery codes locked up and hidden to not be completely surrendered to my phone, but i don't really like them since they can be copied without notice, only comfort is that usage of them will trigger notification, yubikeys feel like a better middle ground.
