Agreed, SOC2 says nothing about yubikey/u2f/etc. Almost any MFA will do unless one lets opinionated auditors head deep into the weeds.

You can use spreadsheet-based recordkeeping to satisfy very much of SOC2 as long as the processes are followed consistently.