Re: Microsoft already nailed this
What happens when you lose the phone, or someone steals it?
There are only two possibilities:
1. You're locked out forever. The good news is that the thief/attacker still has to guess your password. You chose a strong one, right?
2. There's some means of recovery without the "second factor", which is really just another way of saying that there's only one real factor.
Similar questions can be asked about what happens when (not if) you get SIM-swapped, or forget the password part. They all devolve to one of the two possibilities: either there's only one real factor, or you're locked out forever. Then what if both things happen? Authentication is about providing an actor's identity. How do you do that? What *is* identity, anyway? Is it the human being, or is it the device the human is using, or is it the credential(s)? Nothing in FIDO's, or Microsoft's, proposed solutions address these fundamental problems.