[lxgr]

Do they really ask for a phone number, or would a Yubikey work as well?

[b112]

A yubikey would be as useless in this article's specific case, as the problem is losing valuable things (eg, phones). A yubikey is no different.

It too would be lost.

[lxgr]

That's definitely a problem, and a tricky one to solve in the context of 2FA: One of these factors is usually knowledge (your password); the other then has to be possession or inherence, and the latter has problems as well.

Essentially, if you rule out possession, your choice is between server-side validated biometrics (if offered at all), or "double knowledge" (e.g. a password and email 2FA, with the email account also only protected by a password), which is pretty phishable.