We just finished the first implementation for multi-factor authentication for some services at IST Austria.
MFA tokens can be created via https://privacy.ist.ac.at/ (ONLY available via VPN/Remote Desktop or on campus)
SSO login will then have an additional mask to enter the token, but ONLY if you login from outside IST Austria. (without VPN and/or Remote Desktop)
Detailed information is available via the Documentation.
MFA is ONLY enabled, if you create a token, if you delete the token again, MFA is disabled for your user!