They let you enroll a hardware token after you enable either a TOTP or SMS 2FA method. No idea why, seems to defeat the point of the additional security that a hardware token offers.
Authenticator apps, and SMS help them derive you have identity -- which is more secure for them and you. Hardware token via WebAuthn (etc) is only more secure for you.
When they say "for the sake of security" they mean for them too.
There's a reason they want you to verify using one of the first two methods first.
> Authenticator apps, and SMS help them derive you have identity
How do they do that?
TOTP (i.e. authenticator apps) is a simple algorithm where the value is derived from a secret key and current time. It certainly doesn't verify anything about you.
When they say "for the sake of security" they mean for them too.
There's a reason they want you to verify using one of the first two methods first.