Make sure to print out some backup codes. Also I have two Yubikeys authorized for each of my U2F/Webauthn accounts. Fortunately managing multiple hardware keys is much easier with U2F/Webauthn than with TOTP... at least with Google/AWS/Github, you can add a new key at any time, while with TOTP I had to generate a new TOTP secret and update both keys at the same time.
Yeah, that seems like the best bet - either hardware key or TOTP (because, although hardware keys are better for security, not all users will have one - cf. myself), and then store your backup codes in a password manager.
