I would recommend getting the hardware dongle. I don't have the app, never did, and I've had none of the issues others have been complaining. The dongle is, generally, a much better experience from what I can tell, except if you need to do any authorizations on the go.

Your other complaints: 100% agree, the whole thing is a privacy nightmare.

I wouldn't count on a post mortem of any value. They still refuse to explain how the system has been abused in the past. Regardless of how hard I try, I fail to understand how it has been abused after QR codes was added to ensure presence at the device you're trying to authenticate at. The system feels secure, but has been abused a number of times and we're almost never told how.