@ewon_c ofcourse a hardware key would be better, on issue with those though is that they are easy to use, and hard to make backups from, so you have to consider what would be a more likely scenario: someone losing access by losong their key, or someone being tricked into filling in both their totp and password codes?