This is a brief description of my security practices. I will make several posts and write updates as I make changes.
Facebook also can generate two-factor codes from within the app. It's the same TOTP method though.
Twitter's two-factor uses a differnet method where when you log in in a computer, your smartphone notifies you with the browser and location and allows you to confirm or deny the login. This is better since it's out of band (so to compromise my Twitter account an attacker would have to compromise my computer and phone)
I also use a security key for my Google account. Given that this fails back to my TOTP two-factor, it's technically an additional attack vector, but eventually I'll hopefully be able to disable the TOTP method and use only the security key's U2F method.
Photo Credit: https://www.flickr.com/photos/kevinshine/10597406823