Coinbase should continue doing what they are doing, which is to support SMS, and educate and encourage users where possible to use something else instead.
Not just to lock down the logins to Coinbase, but to also secure their customers' email, Twitter accounts, and as many other online systems as would support hardware backed WebAuthn. Hell, PokerStars did this with RSA tokens back in 2008 so it's not like it's a new idea.
That also solves a major usability issue: instead of trying to juggle between a mobile application and a TOTP authenticator (on the same device!), or plugging in a USB adapter for authentication needs, you just quickly tap/wave your keyring next to the phone. Or take your phone quickly by your pocket when you need the second factor.
I'm pretty sure people have phones and Coinbase can force them to install a 2FA app.
To verify someone's identity ("Identity Proofing") using Stripe Identity [1] costs ~$2. They support IDs from 33 countries, and have implemented fraud detection in the flow. If you were so paranoid as to defend against someone stealing your government issued ID (used in the proofing process), you could paper mail a OTP to physical address on file.
Does it suck and its the cost of no digital ID infrastructure in the US? Yes. Is it insurmountable? Not at all. At the end of the day, people are the weakest link, and we must fallback to meatspace trust anchors (in this case, possession of government provided ID that can be provided on demand with robust fraud detection mechanisms). You are who you are, and own what you own, not because of key material but because of the law.
This attack wouldn't have been possible if they didn't allow SMS 2FA, so I don't think that's fair to say at all.
