A security key like Yubikey is the safest 2FA option. Theoretically, a hacker could gain access to your software 2FA authentication account, but a Yubikey requires physical access to use, similar to a hardware wallet and is something a hacker can't do. It also has an authenticator app to use 2FA on websites that don't support using security keys. The Yubico authenticator app requires the Yubikey to use, so it's safer than using 2FA apps like Google Authenticator or Authy.
for people who are still on google authenticator for sites that doesn't support yubikey yet, at least dedicate a smartphone that has no sim and wifi is always off. i got an old samsung with a huge battery mod it can do over a week without charging.
as for hardware keys, you can also use trezor as a hardware key.