Everyone will have security keys of one sort or another shortly. I've written before about the Yubi key. This post reviews Google's answer to (and some would say rip-off of) the Yubi. "When you sign into an account that’s protected by a security key, you’ll have to insert it into your device (or pair over Bluetooth) and press the button. So this requires physically access to the key. This is basically means it’s virtually impossible to fake, and thus the current strongest form of security against phishing and other account hijacking attempts." It will still take some time before everybody is foing this, but not that much time.