Security and privacy

How are they logging in already? Active Directory? Single sign on from the desktop (Windows Authentication)? Maybe you can build something in to that main authentication mechanism when they first get onto the system.

What is your timeout for a moodle login, perhaps you could extend that to reduce the disruption?

That said, as an admin I have to 2FA into a server every time I Remote Desktop in now (apparently RDP is a major attack surface), so I just leave it open once I'm in for the day - and lock my workstation whenever I leave it alone.

We are currently dealing with this too. The wonderful K12 education world has proclaimed that we need to use 2FA on all our sites. Luckily I already have a Keycloak server set up and plan to shift to SSO login only for our staff. The benefit here is once they log into Keycloak, they don't then have to use the 2FA for every site.

We let everyone login using a Saml2-account (We use simplesamlphp with a mysql backend). The second factor comes from a PrivacyIdea-server.
Where I'm based, only teachers need to provide a second factor, since they have access to student data. We distinguish teachers from students in the mysql database and filter that in simplesamlphp, so only teachers get the screen for the 2nd factor. Students are allowed in using username and password only.
The whole solution is free software (as in freedom) and open standards.

As a few other people have commented, it would be good to know more about the Authentiation setup. Generally adding 2FA via AAD or some external SSO can be pretty painless, especially if your IT will allow devices to be remembered so they only need to use it once a month or so. if they need to use it every time that might be very painful. Also if you are using SSO and there are other associated systems then logging into any system will allow them in to Moodle and it will be largely a non-issue.