You are using 2FA. If just one of your two factors is compromised, that doesn't mean you "aren't" using 2FA - just that there exists an attacker who is one step closer to breaking into your account.
Any attack on 2FA requires the same attacker to compromise your password and your physical device. If one adversary phishes your password and someone else finds the YubiKey you dropped on the train, you're almost certainly still OK. You need to ask whether there's a reasonable threat model where the same guy gets your password and also gets you to use his own fake key.
> the same guy gets your password and also gets you to use his own fake key.
The article started from an event happening at a conference. I haven't been at many, but I assume: 1) at some you have a badge identifying you; 2) even if you don't, depending on who you are, it could be easy to identify you from other sources. At that point, if your identity is revealed and you're using the fake token, you're no longer using 2FA. This is not the same as "some guy finding your lost token on a train", unless, of course, that person saw you losing it and knows who you are, but even then - if you lose your token, you wouldn't/shouldn't keep using your spare...
I mean, if you get a notification from HIBP that some password has been compromised on some account, I assume you'd change it, you wouldn't just go "meh, I have 2FA, why bother". Why would you ever keep on using a (potentially) fake Yubikey?
Any attack on 2FA requires the same attacker to compromise your password and your physical device. If one adversary phishes your password and someone else finds the YubiKey you dropped on the train, you're almost certainly still OK. You need to ask whether there's a reasonable threat model where the same guy gets your password and also gets you to use his own fake key.