Relying on smartphones and mobile apps as the second factor is all-too convenient. But I think it is a short-term and not-very-good answer. I'm personally not going to accept a smartphone as a second factor, it's a big risk IMO, and a big privacy exposure too. And I refuse to have a smartphone! Calling hardware tokens "legacy" made the piece sound a bit like an infomercial for Duo Security, though Duo do encompass the tokens too. The problem on the token side is the babel of standards that are being used, and if there were widespread adoption of something like U2F, then the $18 cost would not be a big overhead for any business, and probably not for most users. I'd take a little U2F hardware token over a smartphone authenticator anytime, but I suspect the latter are going to be forced down people's throat because they represent a wonderful opportunity for marketing and "ownership" - of you.