[bluedino]

We have the following:

Authenticator app, HID card, or FIDO key. Biometric is coming but the goal is to not have to give people yet another reader/device.

In theory we wouldn't have to worry about someone losing their card or key but they don't always setup all three in their account.

[tsimionescu]

Are these used in conjuction, or any one will do? If it's the former, it seems like it would make the problem of loss worse. If it's the latter, then it seems you've offered a variety of ways that someone can access your systems - steal a key, copy biometrics, guess the phone password etc. - the weakest one will do.

[bluedino]

You only need to use one. You need a PIN to use any of the devices as well.

[hn_throwaway_99]

Only needing one means you have the "lowest common denominator" of 2FA. E.g. authenticator apps are vulnerable to phishing, while FIDO keys are not. Adding FIDO key as an optional second factor doesn't really add much security if people can still be phished using a MITM attack using the authenticator TOTP.