[tptacek]

These are indeed answers, but they aren't the real answers.

The real answer for "why not a smartphone app" is "because code generators are just as phishable as passwords". In the real world, that's how people are being compromised, not by elaborate phone exploit pivots but by phishing pages. It also speaks to why phone authenticators are acceptable backups to tokens.

The real answer for "why not SMS" is "because both teenagers and intelligence services can get a phone number redirected; your phone number is not your phone."

Obviously, you don't PIN-lock a U2F token; the answer to "what if it's stolen" is "whoever stole it probably doesn't have your password, which they'll need in order to use the token, so if your token is stolen remove it from your account and then fish $17.99 out of your couch cushions and buy a new one".

[lrvick]

Code generators are super phishable and that is the whole reason to abandon them in the medium term. In the short term however they are all we have for most websites so protecting the secret in a hardwre token is as good as we can get.

No matter how much you protect the secret though, not getting phished is left to the hopefully paranoid user, which is for sure not ideal, but we are probably years out from TOTP being replaced with U2F for most sites.

TOTP via hardware tokens is a stopgap.

Great comments though. Will update to reflect them.

[tptacek]

Code generators are indeed phishable, which is why your primary login factor is a U2F token. Meanwhile, because of the way phishing works, if you go log in of your own volition to your Google Mail account, the TOTP code provides about as much security as the U2F key does.

The idea behind the U2F/TOTP stack is to minimize your exposure to phishing attacks and at the same time minimize (to practically zero) the odds of you being locked out of your account. It accomplishes that nicely, which is why most of the other experts we talk to have U2F/TOTP/backup-codes as their Google 2FA stack.