The particularly nice thing about FIDO Security Keys that's relevant here is even a hideously incompetent implementation doesn't hurt you. The Relying Party (in this case Twitter) doesn't end up with any secrets, they get an apparently random "cookie" value to give back to you when they want you to prove you've still got that key, and a elliptic curve public key that doesn't correlate to anything except your login on their site. If they screwed up so badly that the Twitter web site showed a user's U2F parameters to every single visitor looking at their tweets it not only wouldn't unmask any pseudonyms used (as a phone number definitely would) it wouldn't even make it easier to login in as that user. FIDO is the right thing everywhere that a second factor is needed, but even more so when you don't trust the implementers to do a good job.
Twitter currently, does not allow adding more than one U2F keys to an account. It’s normative to have at least one extra key for backup. Google, Github, even Facebook support adding multiple hardware tokens to an account, but not Twitter.
Also, if you try requesting for an API key, they insist that you add a phone number to your account.
The particularly nice thing about FIDO Security Keys that's relevant here is even a hideously incompetent implementation doesn't hurt you. The Relying Party (in this case Twitter) doesn't end up with any secrets, they get an apparently random "cookie" value to give back to you when they want you to prove you've still got that key, and a elliptic curve public key that doesn't correlate to anything except your login on their site. If they screwed up so badly that the Twitter web site showed a user's U2F parameters to every single visitor looking at their tweets it not only wouldn't unmask any pseudonyms used (as a phone number definitely would) it wouldn't even make it easier to login in as that user. FIDO is the right thing everywhere that a second factor is needed, but even more so when you don't trust the implementers to do a good job.