Yeah, that seems like the best bet - either hardware key or TOTP (because, although hardware keys are better for security, not all users will have one - cf. myself), and then store your backup codes in a password manager.