Comment Re:My Ideal Setup (Score 3, Informative) 20
hate the idea that every service I use could be accessed if someone has my device
Then use a PassKey authenticator that requires a PIN or biometric entry to use the key. For example a Passkey stored on a Yubikey with a strong PIN set. Or a Passkey stored on a TPM configured to require entry of the PIN each time the credential will be used. Many users would disable the separate PIN requirement, or choose a solution that does not require one for their own convenience purposes, But you don't have to. You can use the strongest possible implementation of Passkeys for your purposes.
By having separate passwords for each site and requiring passkeys for MFA,
Auth with a password sent to the server plus online MFA is weak authentication. You are better off authenticating with a Passkey stored on a cryptographic authenticator which confirms multiple auth factors locally on your device.
Any fixed value you send to an online server such as a "password" is not bound to your auth session and can be stolen and used independently with other authentications. That is why it is better to have a cryptographic device in your physical possession that authenticates a Knowledge or Biometric factor from you Before authorizing the response to a cryptographic challenge for authentication using the secret keys stored on that module.
Statistically speaking: If your auth process involves sending a password to a remote server ("Online authentication"), then that password will eventually be stolen. That together with the unbound session is why you can say Online remote multi-factor authentication is still weak authentication.