I think Microsoft Authenticator is the smartest right now because it's a "two-cloud" solution partly out of necessity, but also that seems a trustworthy architecture more generally. Since almost no one's phone runs Windows anymore, the raw app data backups "naturally" go to either iCloud or Google Drive. Then Microsoft keeps other (HSM) decryption keys in OneDrive. The threat model requires compromises of two clouds, so Microsoft Authenticator can be way more generous on how often and easily it backs up. It's an interesting point in the security vs. convenience tradeoff.