After reading the front page conversation about Google 2FA recovery issues [1], I realize there are password recovery edge cases I am blind to. The conversation seems to have significant disagreements over best practices and there seems to be no common well-vetted, step-by-step process "regular" people should follow. i.e. how and where to store backup tokens. What to backup from a password manager, where to store that, etc...

Is there a comprehensive best-practices guide anywhere that can help a "regular person" manage passwords, backup tokens, pass phrases, etc... and have a sound strategy for recovering from common issues like losing access to Google Authenticator on a broken phone?

[1] https://news.ycombinator.com/item?id=34441697