1) You can protect it with upto 60+ character pin. It does not allow bruteforce and will have to be reset after 8 tries.
So not much anyone can do if stolen. And you will know and then can change paswords
2) They recommend using 2 keys with 1 as backup. I don't like depending on just one thing, so i enable backup methods too - TOTP for example in gmail and generically you have backup codes too for 2fa.
I dont save TOTP in authenticator (for example), instead i ll just print out the secretkey/qrcode and keep file in some offline usb keys. This seems enough to me.
I am pretty happy with this now. Convenient too. It protects against phishing as well.