2FA For Internet-Facing Hosts

I've got a customer that's a bit uptight at the number of SSH probes they get in a given day (the number is actually low compared to other systems I've run over the years). They don't really have the ability to simply "deny by default" and maintain whitelists. While the google-authenticator PAM module is dead-easy to set up, the customer's users often don't have access to mobile devices or things like Yubikeys when they're connecting into the systems that are giving them heartburn. Is anyone using a 2FA solution that doesn't rely on either physical tokens or mobile-device soft-tokens?

Seems like, at this point, most of the my web searches say "Use the google-authenticator package from EPEL". While there seem to be some desktop soft-token apps, the free ones seem to mostly be mobile-only. Just curious what others are using and the setup-bar compared to Google Authenticator are.