Do you know how expensive it is to support physical keys for a large organization? I'm not talking about the cost of the key. I'm talking about how many people lose, break, or have another problem their keys (data corruption, software issues, USB port is broken, etc). You need dedicated staff at every physical location with all the support capability to troubleshoot those issues and replace keys. Every time a key doesn't work, that's one less person working, plus time taken up by support staff. The TCO is millions of dollars. It's much cheaper to use software tokens that have fewer failure modes and simpler support requirements.
Even if you do use physical keys, malware on the machine from a phishing+0-day attack can simply wait for the user to log in with their physical key, and use an existing, valid session to inject an attack. This has existed for at least 15 years since I first saw the attack, and it still works great, even with FIDO2.
What happens to T-Mobile if an attacker takes over an account, regardless of security method compromised? Basically nothing. Yeah, some customers get sim-swapped, who cares? T-Mobile has not lost any money. So there is no incentive for T-Mobile to have better security in those cases. Hence, no need for physical keys, which wouldn't stop all attacks anyway.
The TTPs outlined in the article could absolutely be mitigated by use of hardware keys, and this would reduce customer risk. You are right about the liability and support calculation, but that doesn't mean it's OK to shift risk to the customer because it's too expensive. It is a failure to not have implemented a physical key deployment, and it must be treated as a failure.
Even if you do use physical keys, malware on the machine from a phishing+0-day attack can simply wait for the user to log in with their physical key, and use an existing, valid session to inject an attack. This has existed for at least 15 years since I first saw the attack, and it still works great, even with FIDO2.
What happens to T-Mobile if an attacker takes over an account, regardless of security method compromised? Basically nothing. Yeah, some customers get sim-swapped, who cares? T-Mobile has not lost any money. So there is no incentive for T-Mobile to have better security in those cases. Hence, no need for physical keys, which wouldn't stop all attacks anyway.