Yes software authenticators that use a security key for OTP are a good option. This is what Yubikey does with the Yubikey Authenticator. As with most security things there are tradeoffs to each approach. The pro of a software authenticator is that you can have an unlimited number of accounts, the con is that it requires the user to install an app on their phone/computer (in some cases the OTP shows up in a desktop app it may be possible for hacker to intercept). With the OTPs being generated and typed by the key itself the pro is that you don't have to install an app and login can be faster because the OTP is typed for you, no reading and typing it manually (also harder to phish). The con being you can't store unlimited accounts and since the key is typing the OTP the key has to be physically connected to a phone/computer.