Just as you want to make sure your antivirus and anti-malware protections on your devices are secured against modern attacks, you need to ensure your authentication devices also are using modern standards which are protected against newer attacks. SMS and Google Authenticator are based on one-time password (OTP) protocols that have been known to be compromised. Such attacks include extracting the secrets stored on the mobile devices, intercepting SMS communications, pulling screen data from hijacked devices, phishing and more.
Further, by tying authentication to a mobile device, either by SMS or a loaded app, your ability to positively identify yourself is tied to the device. If the device is out of power or range of communication, you cannot log in.
FIDO U2F Security Keys are the newest authentication protocol that is built to protect against phishing, session hijacking, man in the middle, and malware attacks.
At this time, Google Gsuite is the only service that allows for users to login with only Security Keys, so no other weaker backup option is used to lower the login security for the accounts. Because some browsers and operating systems still don’t support U2F, most services still allow for SMS or Google authenticator as a backup option.