@canion complicated passwords and TOTP codes are indeed strong but they're also still at risk for man in the middle attacks. Conversely FIDO2/WebAuthN hooks the browser and through the magic of cryptography proves that not only is the site you're authenticating to the one you think it is, but that you are in physical possession of the token. There are of course downsides to hardware tokens - you have to have the token with you for one thing :) If you want to experiment with FIDO2 - can I suggest Akamai MFA which can use your phone as a token.