It's also expensive...the vast majority of users aren't going to buy a U2F key and carry it around. They just won't. 2-way OOB authentication does protect against phishing when combined with other information, such as IP geolocation. For example, the message could say "if you are not in [city from which login is coming], do not reply to this message".
Simple OOB authentication is much better than nothing, and I agree with you that most users aren't going to buy an U2F key unless it's subsidized and/or required by a service (look at Github - they're running a $5 U2F YubiKey promotion right now).
But still, there's no way to make this really secure for the average user. IP geolocation is easily tricked - a scammer just needs a large enough botnet and he'll be able to pick an IP address in the same city for the majority of victims.
Hm I think they changed the offer, because when I went through a week 1/2 ago I got two for $15 (including shipping). Ah yep...
>While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
Everyone will soon be using hardware key signing devices for identification and authorization as these keys are gonna basically be free within a couple of years. We're also moving towards self-authentication with public key crypto.
