Physical token for 2FA/MFA for web app in v16?

Hi all - we're a ways off from our v16 upgrade yet, but putting a question out into the world, so as not to be caught flat-footed by it...

We are Hosted Services clients and over the last few years have migrated basically all of our users to the Deepnet 2FA mobile app, as our stock of physical fish tokens got more and more unreliable and our workers were remotely dispersed. This has made me more conscious of the growing grey area of employees using a personal device for 2FA in order to execute their professional tasks (in a perfect world, an employer should be able to provide everything needed to do your job, without requiring the use of a personal device at all). It hasn't come up as an issue yet, but we've known we still have the physical fish tokens as a backup if an employee is unable or unwilling to use their own device to access Hosted Services and get into Tessitura.

With the v16 upgrade and 2FA getting added to access the web app as well, I'm curious if anyone else has thought ahead about how to still set up physical tokens if needed outside of the Citrix/Hosted Services ecosystem. I'm not an expert but it sounds like 2FA for the web app is using a much more standard OATH/TOTP protocol that works with the mainstream authenticator apps out there (as opposed to being locked to Deepnet). A quick Google search certainly makes it seem like there are plenty of physical token products out there that can be configured for any standard OATH token - so I'm wondering if the responsibility of securing/configuring/managing physical tokens for v16 web app access is now just shifting to individual orgs and whatever they want to do?

Would love to hear if anyone else has already been thinking about this and struck a solution, or from Network staff if there are any other considerations we need to prepare for. 

Thanks!

Evan