It's the same failure mode if you s/phone/token/. Except when it's a token lost/stolen we call it good security like we deserve a pat on the back that they're now fucked out of their accounts.

Yeah, I have backup codes "somewhere secure". That's two states away. What's the latest out of the security community? Do they recommend I carry an extra copy of the codes on my person? Store it the rental lodging/car? Tolerate a week of lost access to my most crucial accounts?

I keep the backup codes in an unmarked file with no extension on drop box not tied to my actual email address. It come in handy at least 5 times.

No it is not the same failure mode. One is unencrypted, unauthenticated, can be intercepted, spoofed, stolen, or shut off at whim. The other is a piece of paper.

This isn't hard.

Has anyone gotten a reliable setup working on Graphene (or Calyx/Lineage),

including Yubikey apps, I suppose?