Absolutely true that implementation is everything. You need a reliable "get out of jail free" card that obviously can't fall in the the wrong hands. One of the big problems with the convergence on a solution is that some for-profit company wants to be in the middle of it. And they're not 100% focused on security...They all want to know who you are. But that's a separate problem. So knowing you're the same person as before isn't enough for them, but it's enough for security. They don't want you to be able to be more than one person, because that's bad for the control they want to have. That's the reason they all want your (somewhat unique to a person) cell phone number, and it's also the reason the problem is lingering.
As crazy as it may seem, maybe the best solution requires going back to paper. At least that was the solution for the open source project I worked on.
In the scenario you mentioned where the phone had gone swimming (which I think we talked about before), the solution would have been 1) get a new phone, 2) install some open source (trusted) software, 3) unfold the paper you kept folded in your wallet, 4) scan the QR code from the paper, 5) enter your sufficiently long pass phrase (a hash of which is used by the software and never hits storage), and 6) you're back in business with any site that implemented the protocol. As long as there's no key logger, all that's secure. The QR code alone isn't enough. The pass phrase alone isn't enough. The two allow the authenticator to operate. The implementation I worked on required that every time you wanted to authenticate, you enter a subset of your pass phrase, and every now and then, it made you enter the whole pass phrase, so you had to keep remembering it. And if you forgot your pass phrase anyway, then you'd go back to the physical folder you saved on the day you originally set up your identity and use that special "the day I installed" paper. The way the set-up worked is if you didn't write down your pass phrase and then key-in your pass phrase from the paper, the install didn't work. In other words, the implementation forced the user to not take any shortcuts that would risk getting locked out. This solution had no third party involvement. There was nobody to call if you blew it, but nobody had to be trusted. As long as the pair (paper plus pass phrase) remained secret and they didn't crack the TPM on the device, then the hackers could know literally everything else and not get anywhere.