"Do I need a security token like Nitrokey or YubiKey for 'secure' 2FA?"
This depends on your threat model, see also https://infosec-handbook.eu/blog/discussion-secure/#sauth
If your accounts don't support WebAuthn and/or U2F but time-based one-time passwords (TOTP), you can simply use an app like FreeOTP to generate TOTPs on your smartphone. This is considered more secure and more private than SMS-based 2FA, and you don't need to buy additional hardware.
mastodon.at is a microblogging site that federates with most instances on the Fediverse.