Every factor is vulnerable.. phones, phone provider, gmail accounts, yubi keys and even yourself. What if someone points a gun at you and asks you to transfer all the bitcoins?
Why not distribute the authentication factors among multiple trusted parties instead of a single person? This would not scale for normal use cases, but could help for mission critical updates. For example, if I change my gmail password or port my phone number or update my auth factors (which are all considered major/mission critical changes), then the change has to be verified by at least 51% of my trusted contacts. So, instead of verifying authentication just with me, the provider has to send 2fa tokens to all my trusted parties (my spouse/partner, close friends, family members, etc). If 3 (out of 5) have verified and approved the change, then the provider would implement the change.
Why not distribute the authentication factors among multiple trusted parties instead of a single person? This would not scale for normal use cases, but could help for mission critical updates. For example, if I change my gmail password or port my phone number or update my auth factors (which are all considered major/mission critical changes), then the change has to be verified by at least 51% of my trusted contacts. So, instead of verifying authentication just with me, the provider has to send 2fa tokens to all my trusted parties (my spouse/partner, close friends, family members, etc). If 3 (out of 5) have verified and approved the change, then the provider would implement the change.