The problem with Fido (and other such solutions, including smartphone-based passkeys) is that they make things extremely hard if you're poor / homeless / in an unsafe / violent family situation and therefore change devices often. It's mostly a non-issue for Silicon Valley tech employees working solely on their corporate laptops, and U2F is perfect for that use-case, but these concerns make MFA a non-starter for the wider population. We could neatly sidestep all of these issues with cloud-based fingerprint readers, but the privacy advocates won't ever let that happen.
Biometrics aren’t a great key because they cannot generally be revoked. This isn’t a privacy concern, it’s a security problem. You leave your fingerprints nearly everywhere you go, and they only need to be compromised once and then can never be used again. At best, you can repeat this process a sum total of 10 times without taking your shoes off to login.
You're right, software security is only really available to rich and tech minded folks.
That's kind of what I was trying to get at with my previous statement about humans being tired and fallible. The way we access and protect our digital assets feels incredibly un-human to me. It's wrapped up in complexity and difficulty that is forced upon the user (or kept away from, if you want to look at it that way).
As it is now, all of the solutions are only really available to someone who can afford it (by life circumstance, device availability, internet, etc) and those who can understand all the rules they have to play by to be safe. It's a very un-ideal world to live in.
When I brought up FIDO2, I was less saying "FIDO2 is the answer" and more saying, "we need someone to revolutionize the software authentication and security landscape because it is very very flawed".
The claim was that fido protocol is better than totp protocol no matter where you store keys. Your claim is that hardware key storage is difficult, but it doesn't differentiate between protocols: if you lost a device with hardware totp keys, you're not in a better position than if you lost a device with hardware fido keys.
Stronger security can also help the marginalized. If your abusive SO has the phone plan in their name they can order up a new SIM card and reset passwords on websites that way too often fallback from “two factor” to SMS as a root password.
