TOTP isn’t the same as yubikey, they’re 2 different 2fa methods.
Aegis is my favorite app for TOTP, and yes a password is sufficient so long as it’s not easily predictable. I’d use a randomly generated password, at least 30 characters long, and store it in your password vault.
Facial unlock, outside of apple’s face id is for convenience not security. Most of the time it could be unlocked using a photo of your face, which anyone who knows you could get from FB. If your phone has an ultrasonic fp sensor, that would be a much more robust biometric unlock method (comparable or slightly better than face id).