Provide a facility to allow a user to 'trust this computer for X days' which would mean that at login they would not need to go through the 2FA process again for the specified number of days.
This could be done with a check box on the 2FA form allowing the user to select this. This is quite common on sites where 2FA is used (like the UK HMRC site).
If checked, and the 2FA validation passes, then the user would not need to complete the 2FA for the specified number of days (set as part of the SphinxConfig would be reasonable) for subsequent logins.
It would either mean storing an identifier on the computer or to read some machine identifier.
Simply adding a 2FA option like this would be a big help. Managing the expiration of the 2FA we can handle from here, as well as the method for the 2FA (ie we can send the email or SMS message). What I would suggest is a var that we can pass the 2FA code back to Sphinx that it can then wait for the user to enter on the 2FA page, and if what they enter is correct (based on what we provided) then finalize the JWT and finish.
Could also create a second event, once the code is entered then it fires the event passing the code they entered, and we can then determine if the code is correct or invalid using a var Valied2FA: boolean passed back to Sphinx in the event.