The main problem with secure device based 2FA is how to handle the case when device gets lost and you don't have backups (many people don't really think this kind of stuff beforehand). How can a person re-establish their identity? For services like Google, Facebook etc. the answer might be "you don't", but it is more difficult for companies where the end user is also the customer.

And I think the best answer is government issued digital identity and being able to use that to recover your access to the online services (of course up to you if you wish to make this connection).