Yes FIDO2 would be ideal. The stuff about TOTP was a digression regarding the relative security levels between the two. The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS. Obviously if you're something like a high volume day trader then it might be a different story but the venerable $5 wrench attack still applies so even then it seems pretty questionable to me.
> The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS.
For the user (and in the context of Pinephones), the benefit would lie in getting banks out of their phones. Banks want a device that's not under the control of the user to use as 2FA. A dedicated hardware key would be a compromise for that. They used to give them out, but I pessimistically imagine that today they might prefer to lose a customer.
