Guess I get a face punch :) I ordered 3 of the Yubikey 5C NFC tokens. With tax and a cover for my wife's token, it was $170. There's a $10 off $100 coupon floating around. Looking around, 20% off seems like the "good" Black Friday pricing.
Another $10 for a pair of USB C to A adapters.
I may still write down codes and put the third token off site. Having these integrated into daily life, being prepared for immediate replacement seems worthwhile. I decided I am willing to pay $50/yr for last pass premium. Security seems like the wrong place to prioritize price. In total - $180 up front, plus $50/yr, feels reasonable.
I found Fidelity does not support a hardware token, but rather software tokens with a Symantec VIP app. They are wrapping the same protocol used by Authy/Google Authenticator, but adding a layer. You can avoid installing the extra app, but need to be clever about it:
https://locima.com/2019/06/01/replacing-symantec-vip-with-a-generic-totp-app/I don't want to remember how to be clever. I can see doing secure MFA completely will result in multiple apps plus a hardware token. I will be forced to write down codes for the apps anyways. There is not a one size fits all solution. I don't know that I'll be all in, but on accounts like email, brokerage, password manager - it seems prudent.
Admittedly, I'm kind of a nerd. Understanding MFA is interesting. If I were looking for work, it's something I could talk about in an interview. The cost/benefit trade off for me isn't purely financial.