I'd go with number 2 unless you want to buy everyone a hardware token (option number 3).
There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).
You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.
There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).
You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.