Another option could be password less. Basically use Microsoft authenticator app to insert a code that popped up in the screen. Need both devices in order to sign in.
If all users already have work phones and work laptops it's pretty reasonable setup in a Microsoft shop.