There are two choices for "Google specific app on smartphone" – one uses online notifications (Google Prompt), the other uses offline OTP (Google Authenticator).
OTP
Google supports OTP-based 2FA under the name of "Authenticator app". It uses the OATH TOTP standard – exactly the same as what most other OTP apps use, with standard parameters (6 digits, 30 second interval).
As part of enrollment process, you'll be shown a QR code which directly contains the TOTP shared secret. You can scan it with just about any OTP app that exists (desktop apps should be able to "scan" a screenshot as well).
During the same step, you can also click the "Can't scan it?" and reveal the same TOTP seed as plain text. You can copy & paste it into your desktop OTP app, and perhaps write it down on paper to store as a backup.
The app will not need to communicate with Google. However, the device's clock needs to be accurate (the official Google app automatically compensates for wrong clocks using an online time server, but in other apps you'll need to take care of it yourself).
![enter image description here](https://i.stack.imgur.com/TRlvMm.png)
It does not matter whether you choose "iOS" or "Android" when asked for your phone type – you'll get the same process either way.
(In case the "Can't scan it?" option goes missing, the QR code can also be scanned using a generic QR decoder, which will reveal the TOTP seed in plain text. The QR code's contents use the format otpauth://totp/GitHub:someuser?secret=ABCDEF&issuer=GitHub
, with the username and issuer being for display only.)
Tokens
Regarding hardware tokens – yes, there are browser extensions which emulate a WebAuthn or U2F token, but many of them seem to be abandoned and they might not necessarily be secure. (There's also the risk of them suddenly no longer working, so if you use one, make sure to have TOTP as a backup.)
On Linux you also have software such as rust-u2f which emulates a hardware U2F token at OS level – it will work with any website and any web browser because it's seen as an actual connected HID device. Still, it is somewhat more fragile than a real hardware token, and I'm not sure if I would go as far as to recommend using it.
Finally, letting the OS provide a software-based "platform token" is actually part of the newer WebAuthn specification. Windows 10 implements it under the "Windows Hello" name (supported by all major browsers), and Apple just added a similar "iCloud Passkey" feature in macOS Monterey.
Unfortunately, Google does not support 'platform' tokens, only hardware tokens – I'm not sure whether it's deliberate or if it's because they use the older U2F API rather than WebAuthn. (However, rust-u2f will still work because it emulates a hardware token, not a platform token.)
Best Answer
As mentioned, https://aka.ms/mfasetup can be used to reset or update your MFA methods.
Administrators can also reset another user's MFA through https://portal.azure.com Then selecting Azure Active Directory -> Users -> Select the User -> Authentication Methods
There you can set up some types of authentication methods, require them to re-register, and reset their password as well.