But learn a bit before declaring bullshit ... A key is sufficient. If you lose, you must log into your email account security by authenticating the second step by another channel (eg SMS) and cancel the use of the key. If someone manages to steal your password, you are made aware immediately by SMS and email if it tries to bypass authentication key. You just have to define a new password and return to square one. Combined with a password management software (well used) KeePass or LastPass genre is ultra safe (which does not mean NSA safe).
The NFC feature works fine for authentication on mobile, the code generator OTP (One-Time-Password) "Yubico Authenticator" finally replaces the Google Authenticator who foolishly stores the AES key in memory. In short, no one will have access to your WBS codes without putting the key against the smartphone.
Besides the key is ready for U2F standard, ask what is the near future of the online identification for everyone.
A second free with a comment like this would be really appreciated, Yubico ... ;-)