Hardware wallet is good as long as you choose the good one and open source, don't use ledger.
2. Use an app based 2FA authenticator like Auth, google authenticator, aegis and so on
3. Enable a SIM card PIN protecting your SIM card from getting accessed without your consent.
Don't use google authenticator, it's a bad 2FA because there's no privacy.
Enabling PIN protection will not gonna help, what you should do is never link phone number in order to access your wallet. This also applicable to email, you shouldn't use email in order to access your wallet.