At $dayjob I "solved" that problem by setting up SAML auth so we would all login via gsuite (thus using 2FA via yubikey there). After a few months I set that up we got acquired by a big company that uses RSA secureId software security tokens. The security policy mandates that you have only one active security token instance (which BTW acts as a password replacement instead of 2FA, I assume for better interop with legacy tools that only talk ldap...)
