From helpnetsecurity.com
Despite implementation bugs that might affect the security of physical security keys, they are the strongest protection against phishing currently available, Google maintains.
On-device prompts and SMS codes are also extremely successful at blocking account hijacking attacks effected via automated bots and bulk phishing attacks, but can be bypassed by some skilled attackers that focus on targeting specific users.