Let me try and explain some of the terminology (I'm not an expert either so I appreciate corrections from anyone reading).
A password manager just helps you store your passwords, and automatically inputs passwords for you. This makes it easier to use a variety of strong passwords. Also the password manager can check for a domain name match before doing its automatic input, which helps provide phishing resistance.
"2nd factor" or "multifactor" essentially just means adding on something in addition to passwords. That could be in the form of:
* TOTP = "time-based one time password". Use an authenticator app on your phone to input a 6-digit code which changes every 30 seconds or so.
* "security keys" / "hardware security keys" -- a dedicated device that allows you to authenticate, e.g. via USB or NFC. Generally considered more secure than TOTP, because the code is more than 6 digits worth of entropy, and also it forces the website requesting the code to authenticate itself before it provides the code (again, helps with phishing resistance).
I don't know anything about passkeys or Windows Hello.
As for backup, you should be able to transfer all of your TOTPs from one phone to another by scanning a QR code. For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
For the TOTP, if you're worried about losing your phone, usually when you set up a TOTP you can also copy down some single-use "scratch codes" that can work as a backup if your phone breaks or something like that.
> For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
Do I need to have all keys in my physical possession to register them with a new account?
I could imagine having some backup keys in different places, but if I need to collect them every time I want to register them for some new account or service, it sounds like a lot of trouble.
(And if the process is too much trouble, the result would be that: (1) I don't use the hardware keys for those accounts, which is less secure; (2) I only register my primary key that I keep nearby, which is dangerous if it would get lost or broken; or (3) my backup keys end up at the same place as the primary one, due to forgetting or being too lazy to put them back, which is also dangerous…)
A password manager just helps you store your passwords, and automatically inputs passwords for you. This makes it easier to use a variety of strong passwords. Also the password manager can check for a domain name match before doing its automatic input, which helps provide phishing resistance.
"2nd factor" or "multifactor" essentially just means adding on something in addition to passwords. That could be in the form of:
* TOTP = "time-based one time password". Use an authenticator app on your phone to input a 6-digit code which changes every 30 seconds or so.
* "security keys" / "hardware security keys" -- a dedicated device that allows you to authenticate, e.g. via USB or NFC. Generally considered more secure than TOTP, because the code is more than 6 digits worth of entropy, and also it forces the website requesting the code to authenticate itself before it provides the code (again, helps with phishing resistance).
I don't know anything about passkeys or Windows Hello.
As for backup, you should be able to transfer all of your TOTPs from one phone to another by scanning a QR code. For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
For the TOTP, if you're worried about losing your phone, usually when you set up a TOTP you can also copy down some single-use "scratch codes" that can work as a backup if your phone breaks or something like that.