Thanks for posting,
The strategy of "Something you know, something you have, something you are" is well used in Identity Management.
Something you know is a secret, a password, a PIN
Something you have is a Yubico Key, a Mobile Phone, a Smart card.
Something you are is a B1iometric like your Fingerprint or Face ID.
You should select a combination of these to satisfy your security policies. But at the same time, you need to be flexible enough to ensure you don't get bogged down supporting end-users that have "forgotten" any credentials.
This is one of the reasons why we introduced User Selective 2FA in our latest 2.3 release. You can select a number of authentication methods that you are willing to support and the user can choose between them.
My preference would be to have something really strong in there, like our LogonBox Authenticator which can enforce a biometric response. But also have something like SMS and Email based OTPs. I'd steer well clear of Security Questions. If you want to invest in real hardware you could use Yubikeys or there are other app options like Google/Microsoft/Authy authenticators, and of course, Duo, although our authenticator is giving you pretty much the same features as Duo but for free!
I hope that helps.