I assume you aren’t an admin on the account just because otherwise you could just disable 2FA properly rather than disabling it with a weird twillio workaround, although I have to give you credit, this is the most effort I have seen someone put in to subvert a security policy.
FIDO2 keys still lack one of the main features of physical keys that make them great... you can have many copies. FIDO2 makes it impossible to copy a key, saying instead to always use multiple FIDO2 keys in all cases. This pretty much kills the idea for it to replace passwords as no one is going to set up 3+ keys for every site they login to. So it will only be of use to lock your password manager where registering multiple keys would be feasible.
You could use it to unlock a single oauth account that you could then use to login to other places. Problem with those systems is trading privacy for convenience.
It's a feature, not a bug, but in order for it to be a feature, every service should accept multiple FIDO2 keys. Many services get this utterly wrong, including AWS, while Google, Github, and Facebook notably have good implementations.
Why it's a feature: if you lose a key you can log in with another key and disable the lost key.
If you lose your house key you have no option but to change the lock, if you want to be safe from thieves.
That feature will kill the standard outside of mandated (corporate/gov) use cases. There's no way I want to have to worry about registering 2-3 FIDO2 keys with every site I currently use passwords for. And there's no way I'd trust Google's (or any other company) OAuth to be my master login for every site.. assuming they all take OAuth and that Google accepted multiple FIDO2 keys.
IMO it's a mis-feature and will keep it from eliminating passwords. In fact I think it will only reinforce password use as the one good case for it is to lock your password manager.
> FIDO2 keys still lack one of the main features of physical keys that make them great... you can have many copies.
There is absolutely nothing stopping you from making a copiable FIDO key, and, in fact, most Bitcoin hardware wallets are just that, since they come with FIDO apps and you can copy the keys over to another hardware key. Or, you can write some Arduino firmware to make your own, copiable, FIDO2-compatible key.
Ledger wallets support U2F and are copiable. There's someone who's building an OSS hardware token that's also copiable (you can flash the same seed to as many hardware tokens as you want).
The protocol is open, though, so in theory you could semi-easily make your own FIDO2 key out of commodity hardware. The Solo 2 Hacker edition might also be copiable.
Yeah I'm not an admin on the account and have no control over it.
An app doesn't work for me either, When I have a big rack-mounted immobile desktop that should if anything BE the 2FA device, if anything, not a 6-inch easily-stealable device.
Which gets you back to the problem OP has - trusting that device enough to make it a secure root of trust. Windows lets you do it, so do Android and iOS. But your admin, maybe not (or you're not on windows, which is more likely I guess).
I recently bought a second Yubikey and wanted to go through my accounts to add it as a backup; you know, have one locked up so that if I ever break my primary, I'm not SOL.
Not only do only about half a dozen services I use actively support hardware security keys, even fewer support enrolling more than one. Worse, many only support SMS 2FA as the backup option, which I just can't abide.
For Microsoft Teams I have no choice but to direct the call to a Twilio number and use a script to answer it and automatically hit #.
If you want 2FA, have support for hardware keys. Period.