I support your argument about Yubikeys - I myself use them for any financial site that allows it. A lot of companies do use them to check for fraudulent logins. But the friction of it is high enough that companies would much rather take the loss than force their customers to authenticate every time a transaction has to be made. Also, I think until it is normalized in the industry, there is a consumer perception of physical keys being too technically difficult to obtain, set up and manage. Not to mention, all the Yubikeys in the world still don't help if one goes and gets phished/socially engineered :)
I support your argument about Yubikeys - I myself use them for any financial site that allows it. A lot of companies do use them to check for fraudulent logins. But the friction of it is high enough that companies would much rather take the loss than force their customers to authenticate every time a transaction has to be made. Also, I think until it is normalized in the industry, there is a consumer perception of physical keys being too technically difficult to obtain, set up and manage. Not to mention, all the Yubikeys in the world still don't help if one goes and gets phished/socially engineered :)