The one I use with TwTex is an authenticator app. Essentially it is a random number generator with a common seed, so the number you have to type in changes like every 30 seconds or so. The attacker would have to have the seed and the password to be able to login, even if they are main in the middle attacking you they could get your password, username, but not the seed, because it's never sent, just the random number output, so when that number changed in 30 seconds well they would have problems. This is probably more in depth on how it actually works than you want.
The way I handle this is kind of an in between on security. Best security is to have a password safe and a separate app on your phone, because this gives two places that have to be compromised. I use bitwarden and it handles the TFA and auto-fills it. Security vs usability, since this takes only and extra 5 seconds for me to login and I don't have to think, I use it.
The big reason to use a password manager like bitwarden, 1password, or keypass, is it makes managing unique passwords for every sight very easy. This is important, because the way stuff is usually compromised is one site has some issue that is exploited, like an sql injection (can display parts of a database not intended to be seen by the public, like password hashes and usernames or plain passwords if the web designer is bad) then the password and email or username is used on a different site. This is why
https://haveibeenpwned.com is a very good sight to check your logins against. Bitwarden allows me to automatically check my logins against this database. This looks at all of the known compromised website logins and sees if your password has been changed since the last compromise. The keyring never sends your password, just website and login.
And next week in Darty's cybersecurity course we will talk about one way private/public one way encryption.