3) The first question you should ask yourself is:
"how sad would I be to lose these funds?"
Spend as much attention as makes sense given the cost
a) "lol who cares": username/password, stick in password manager; or log in with google/etc.; whatever.
4)
b) "eh I'd rather not but I'd be ok": username + secure password, ideally + 2FA but not the end of the world. Use a secure password and a password manager.
c) "I'd live but that would really suck": username + secure password in password manager; authenticator 2FA
5)
d) "that would be really fucking bad": username + secure password + authenticator 2FA, plus all the fixin's:
--IP whitelisting
--withdrawal address whitelisting
--separate withdrawal password
--whatever else is available
Yubikey can replace authenticator for 2FA
6) and for all of the above:
Above all, MAKE SURE TO SECURE YOUR EMAIL ACCOUNT. No matter what else you do, if someone gets into your email they'll often be able to get anything.
SMS 2FA is generally bad: coverage is spotty and some countries make it trivial to sim swap.
7) Ok, but how about ledgers/other physical security?
a) if the amount at stake is HUGE then these make sense (think 8-10 figures)
b) if you really like them, then go for it
the operative things here:
--it's hard to not lose them
--they're more secure
