Two additional tips:
1. Prefer FIDO U2F over OATH-TOTP since TOTP relies on shared secrets while U2F relies on asymmetric keys. The newest standard WebAuthn is also supported by the latest YubiKey series.
2. You can also use YubiKeys/Nitrokeys for generating OATH-TOTP. This is more secure than storing TOTP secrets on your phone. Some tokens come with NFC for mobile use.
The biggest advantage of U2F/WebAuth in my opinion is that browsers automatically mix-in origin (domain name) into the challenge. So it’s completely impossible to phish https://accounts.google.com credentials from https://evil.com
The second advantage is that it’s dead simple — it’s just a token with one button in the simplest case, no scanning codes, no re-typing digits, no timing issues.
The disadvantage is of course it’s not possible (by design) to backup tokens. FIDO recommends enrolling more tokens to one’s account but some services (AWS IIRC) don’t support multiple tokens (that’s a *very* bad idea).
mastodon.at is a microblogging site that federates with most instances on the Fediverse.