Any Yubikey 5-series (non-FIPS) is good. U2F and GPG cover the majority of use cases. Other subsystems (TOTP, PIV, etc) are available for less common use cases.
Discussion
the issue i've always had is getting it to work with my phone (android on calyx) correctly. any suggestions for getting that to work? maybe it's better than it was a few years ago
Oh, I mostly still use a laptop for security-critical tasks. Part of the reason is yubikey support being even worse on iPhones than on (official) Android, although I have had some success with NFC.
Phones have very good secure elements these days though. I consider that more than sufficient for anything suitable to do from a phone.
For someone who doesn’t want a yubikey at all, I would recommend a mobile device as the next best solution. Usually this involves leaving heavily on Apple/Google though, which might be incompatible with opting out of those services entirely.