The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
I've tried the various methods, and I would strongly recommend TOTP over SMS or push notifications. I tend to use "Google Authenticator" which you can actually use any app that supports the standard, which in my case on Android is the open source FreeOTP made by Red Hat.
In the case where you can't bring your phone to work, Google has had great success with Yubikeys.
Just make sure you're not looking at MFA in a vacuum. If you don't also implement MDM policies to enforce security on your mobile devices, you're missing the point. Any MFA solution is worthless if anyone can just pick up the mobile device and get at the code.
I'm partial to Microsoft's first-party MFA solution (based in Azure) because I work for them and help companies implement it, but no matter who you go with, make sure mobile/endpoint security is given equal attention. Security is a puzzle and no single piece is a panacea.
The morons at my bank will text or call - but not use email.
If I'm planning on banking online they know I'm near an email capable device. I may not be anywhere near a phone. The US Treasury Direct site, which is amazingly fussy to maintain security, will email the one-time code. Same for a number of online banks - major financial institutions. I'm already voting with my wallet - moving my accounts to where they'll cooperate.
Another thing - authenticating BACK to me would be nice - a great way to avoid phishing attempts.
My particular version - for extra secure - requires a custom .exe to be run, which identifies unique machine information, encrypts it (with an every-changing key) and sends it for confirmation in the machine registry. If you don't go through the .exe you cannot access the 'working' parts of the website. Rephrased, for all practical purposes, without the local launcher on a registered machine you don't even get to the same website.
Nothing is 100% hack-proof, but a local item to authenticate registered machines makes it damn tough. Meanwhile, it's a single-click (once registered) - and the browser opens for user login. No burden on the user.
Just use the good old send some random words (or numbers) to the user's email account.
If that is not secure enough, then make sure the user apply with 2 email accounts, so that your service can send two sets of different random words (or numbers) to the user's two email accounts. Which may be as safe as a "2 factor authentication services". No fumbling with phone SMS / swipe here / swipe there, etc, etc.
And if that is not secure enough, then make sure the user apply with 3 emai ... ... ... ...