At work we use to use the old Yubi keys that were nice and long and had a good contact areas. Then they switched to the nanos and wouldn't reprogram the old ones (or even order the larger ones of the same generation, or let us pay for them ourselves).
You can do the entire OTP entirely in software. Just be sure that the location you place the secret is encrypted:
Personally, I just use Keypass since it can do TOTP very easily. It's not the best 2FA since it stores the second factor alongside the passwords, but you could fix this by having two databases.
I don’t really care about this one too much because if you got a copy of my pw database and knew the password you have enough access to remove the 2FA on my stuff.
Like there is literally 0% chance I’m going to let myself get permanently locked out of my accounts if my keys and phone get stolen.
You can do the entire OTP entirely in software. Just be sure that the location you place the secret is encrypted:
https://battlepenguin.com/tech/replacing-okta-verify-with-op...