The issue is that even if you use a yubikey, there has to be a way to recover the account if the yubikey is lost damaged. This means that someone has to have the ability to reset the 2fa of an account, meaning that if someone can convince the support person that has that ability, they can change the 2fa.