Simple OOB authentication is much better than nothing, and I agree with you that most users aren't going to buy an U2F key unless it's subsidized and/or required by a service (look at Github - they're running a $5 U2F YubiKey promotion right now).
But still, there's no way to make this really secure for the average user. IP geolocation is easily tricked - a scammer just needs a large enough botnet and he'll be able to pick an IP address in the same city for the majority of victims.
Hm I think they changed the offer, because when I went through a week 1/2 ago I got two for $15 (including shipping). Ah yep...
>While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
But still, there's no way to make this really secure for the average user. IP geolocation is easily tricked - a scammer just needs a large enough botnet and he'll be able to pick an IP address in the same city for the majority of victims.