Mixture of strong passwords and 2FA on a device. Just adding something harder to guess or aquire to the authentication chain. The standard it's called FIDO2 and seems pretty well audited/tested.
How good it is, is what I'm asking about.
Discussion
What do they protect against? If I have a 2fa app on my phone, what’s wrong with that?
Absolutely nothing. You're already ahead of 90% of the people on the Internet. But there are active phishing scams to get people's 2FAs.
Yes, you have to fall for it.
An authenticator app can be cloned or accessed by a third party. A key is a physical device you have to plug into the device (or tap) to authenticate. So it would be much harder for someone in another continent to access your accounts without physical access to the key. But it's all moot if there's a backup way to get in.