About websites security, purchasing a physical security key like a Yubikey is a must because it is more secured than GoogleAuth/Authy.
The truth is that GoogleAuth/Authy are not 100% safe proof. Because the way it works, it compares your time based code to a similar one stored server side. If the website used is compromised, aka the service / company is unprofessional about security (it happens often), the 2FA protection could be bypassed and ultimately broken.
Conclusion, using 2FA TOTP (time based) is a major step forward against using a single password, but it remains unperfect unfortunately...
However, if you use the FIDO U2F norm through a hard Yubikey device that you have to plug to your computer/phone/laptop, there is nothing stored server side and it requires a physical action on your side (the press of a button)
Consequently, FIDO U2F / Yubikey is the only 100% secured protection available nowadays. Unfortunately, too few websites are supporting it by default as the time we speak, but it is following an ascending slope.
Similarly, you could buy physicial Yubikey clones (other brands) which, instead of a USB cable connectivity, offers you a Bluetooth connection (Google will release 1 device like this). This is also advised against (potential security breach) because a Bluetooth connection could eventually be hijacked without you knowing. You better stick to good old wired USB, although if it keeps you in the past, not following the tech evolutions ! Don’t play with security !
Yubikey stated that only NFC contacless keys are safe, and that they won’t market Bluetooth devices following Google footsteps. Myself, I would still stick to USB over NFC