[umvi]

It would help... for now. Like I said though - it will be expensive and onerous for both the employees and the company... and who knows what the next evolution in attacks will be.

No matter how good security gets, attackers will always adapt. Everyone on earth is now using YubiKeys? Now you need a process in place for when people get their keys lost or stolen. Or when your computer doesn't have a USB port. And whatever "I forget my password"-esque process that is will probably be much easier to attack/manipulate/social engineer than the keys themselves would be.

[Xylakant]

Having to obtain a physical item is substantially harder to automate than credentials stuffing. Especially U2F which is a practical phishing protection and extremely hard to social engineer (you'd need to mail a token somewhere) should IMHO be default for admin interfaces with elevated privileges.