Except that the real failure point (in this particular case, and generally) is in recovery. It doesn't matter what technology you use, if there is a human being involved in the process of being able to recover access to an account or reset credentials, that process can be exploited. We are the weakest link. I would also argue that the stated goals of any authenication process being more secure and more "user friendly" (or frictionless) are diametrically opposed to one another, at least for the immediate future.