1- A great bit of security advice from the Decred blog - enable strict site isolation in Chrome. https://support.google.com/chrome/answer/7623121?hl=en
See the complete list of 7 golden rules in the original article;
https://blog.decred.org/2018/01/05/Cryptocurrency-security/
2- U2F is far superior to OTP. https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d4324
Currently, the only two exchanges offering U2F include Bitfinex and Nanex. Campaign for other exchanges to implement it, or we'll continue to suffer the inconvenience and vulnerability of OTP.
(For noobs) *don't use your mobile phone number as a 2FA option. Given that you will have to use OPT (google authenticator type logins) for some accounts, choose the app carefully. Authy on 2 or more devices with "add more devices" deactivated - might be the best choice if you don't mind Twilio's espionage/privacy policy.
Otherwise, choose 2FA apps which don't link email/phone numbers for recovery of security tokens - and come up with your own foolproof backup plan for your tokens. Or expect a bureaucratic steeplechase of verification for every account you want to regain access to.
3- Don't leave funds lying around on exchanges.