[diminoten]

I think folks overestimate a) how often physical theft actually takes place and b) the level of sophistication that folks who steal your phone are going to have.

In order for me to use the "thing I have" to get into your account, I'd need to know your account. The number of targeted thefts that take place are really low, compared to the number of folks who run around with "password" or "letmein" as their "thing they know".

The threat model for Joe User is just not that complex, is all I'm saying. For Paranoia User, options should certainly exist, but for her brother Joe, it's not very necessary.