App-based 2FA versus Hardware-based 2FA
How do apps like Symantec VIP / Okta Verify and similar implementations compare to using a hardware auth token such as the recent U2F devices?
How real is the possibility of an Android system being hijacked and 2FA app authentication tokens or otherwise secret keys being extracted?
Besides not needing another device, are there any other advantages to app-based 2FA?
Given that with app-based 2FA you authenticate a request or login session in real-time, is it not vulnerable to real-time authentication replay phishing attacks?
Edit: This seems to be sort-of answered here Can a smartphone strictly be viewed as the ‘something you posses’ factor for 2FA when it has no hardware token capability like smartcards?