This is the digital privacy community… I’m not sure there has ever or will ever be consensus on anything 
What is everyone here doing?
My current approach is 3 layered:
-
High Security
- Method: Hardware Security Key (FIDO2 U2F)
- For: Core accounts where security matters most (password manager, primary e-mail, a couple other things)
- Backup Strategy: rotation of 3 hardware keys, one on me, one nearby, one not nearby.
- Why: Highest level of security for my most important accounts (phishing resistant, malware resistant)
-
Medium High Security:
- Method: TOTP stored in Bitwarden (online), and a dedicated TOTP mobile app (offline)
- For: All other accounts where 2fa is important. But where I want a compromise between high security and convenience.
- Backup Strategy: TOTPs are backed up as part of Bitwarden encrypted vault backups (ideally should be backed up to 2 different places)
- Why: If I had to use a hardware key (or even a TOTP mobile app for all my 2fa, I would probably disable it on many of my accounts due to the added inconvenience. Storing my TOTPs in Bitwarden, gives me almost the same level of practical protection as a dedicated app or even a hardware key, without the inconvenience. My reason for the redundance of online and offline TOTP is simply the ‘belt and suspenders’ approach.
-
Default (low-ish) Security:
- Method: None. Either no 2fa, or whatever the default 2fa option is (e.g. e-mail)
- For: Anything that doesn’t support stronger 2fa or isn’t important enough for me to care about 2fa.
- Backup Strategy: None