We would like to use two factor authentication on all accounts that are accessing the service externally (i.e.; not from within our WAN). However, there is no way that we can ensure our customers (some are in restricted areas) would have a phone and/or be able to use an authenticator application. One solution that has worked very well in the past for us is email of one time password (OTP) for the 2FA with 15 minute timeout. When we first started using this it sounded sort of kludgy, but it has worked quite well if your mail server is reasonably responsive and your session time outs are a bit relaxed, say 12 hours or so.