There are a lot of different answers - and most likely none might fit your requirements ...
Additionally to 2FA we are also required to perform location aware access control. For example when user crosses borders he might still need access to one of our applications but due to regulation certain data must not be visible across the border.
Nevertheless - we use 2FA with smartcard (SSL client certificates residing on those smartcards to be precise). When the users log onto a Windows system, they need to do so by putting their smartcard into the smartcard reader and enter the PIN. During a successfuly logon the SSL client certificate residing on the smart card gets copied into the Windows certificate store. Next any application can fetch it from the Windows certificate store and present it to any protected backend resource during the SSL handshake.
Our WebServers are utilizing a plug-in based on CA's site minder which authenticates the SSL client certificate and enriches the HTTP headers (alternatively creating an ASN.1 token) with the user's identity and the location information. These HTTP headers are then picked up by our authentication service running on WebSpeed which returns a serialized client principal object to the client application to be used to authenticate against the database.
Of course, this is a very specific implementation which have in place now for several years. But it might give you an idea which questions to ask.