A quick off topic question related to 2FA. If an employee is required to complete the 2FA to access to the company's system, is the company responsible to provide the employee a necessary device (either phone or hardware token) to complete the 2FA?
You don't need a phone or a hardware token. e.g. https://github.com/rsc/2fa