If you consider something like SMS or email 2FA, then such things are very insecure. Often people access these on the same device they are using to log in to the account in question (a phone). Often if one of these things is compromised, then both factors can be compromised, meaning it is not really 2FA at all. An example is an attacker gaining access to your email account; they can now send a password reset email and receive your 2FA code via email, rendering email 2FA useless.
Exactly most of the people have the apps and 2FA security on same device.The device going in wrong hands is usually risky because the 2FA code is with them,if you have some OTP based system then sim card is there and most of them have the exact mail being used in logging in to some apps which is being used in their app store or already logged in mobile.So the risk is at full level.I would recommend using proton mail for security purposes but don't forget password about them.The best is secure your device at the first stage.
2FA using a TOTP generated from a separate device (even better if this device is airgapped) is far more secure.
Although it also has certain limitations but still better than SMS security and as you said on different devices with airgapped system.
Although TOTP is more secure than SMS 2FA, it has some shortcomings in its design. For instance, TOTP codes rely on a shared secret, or “seed,” stored by both the app and the server it’s connected to. If a bad actor manages to recover the shared secret, they can generate new codes at will.
We could see if we are not using the security to otpimal levels then bad actors could easily gain access to our funds and security is compromised.But still TOTP has its own advantages.The security code changes with time to time and you can separate the accounts with names like in Google authenticator but the problem is having them on separate device because no fun of having them on same mobile phone.
More secure still is 2FA using a hardware token, such as a YubiKey. To compromise your account an attacker would need to be able to steal or brute force your password, as well as be able to physically steal your hardware key. This is exponentially more difficult than simply gaining access to an email account.
If you want more secure than passwords or codes, then a hardware key is the way to go.
That's the best thing you could use as authentication and save yourself from phising attacks because if you are using hardware devices as security purposes the risk factors already reduced unless someone gains access to you keys in real life.But you should create backup codes also in case you have lost but it should be offline.
The security features of Yubikey are far more beneficial than regular TOTP and 2FA on mails and SMS as you could have long codes setup and no need to manually type the code as you just have to press the button on the device to login.Every yubikey is also unique so you don't need to worry about it.But it should be remembered there are risk if we are careless.
YubikeyThe security can be compromised on our end but we should always focus on maximising it because once fund lost it's impossible to get them back.We need to be updated with the latest technology to some possible extent we can.