@IggyPop: It's not so much the client software bothering me. It's the way it seems to work on the Windows client level. The sole purpose of MFA is to have a more solid protection against account mis-use. All MFA solutions I've seen so far do a pretty good job in securing the Windows client (i.e. pc). But in a Windows domain environment, that's not enough. In that case, you want extra protection for domain accounts as well. In other words, the need for MFA should be initiated by the Domain controller. If the domain requires MFA for a user account and that user can't provide a token, then that account is denied access to domain resources.
The current incarnation of MFA solutions I've tried so far don't protect domain accounts. Like I said, if you manage to gain access to the local network and you happen to have an account username and password, then you can simply access domain resources for which that account has permissions, without supplying an additional token.
So if it's that easy to circumvent MFA on a Windows Domain, then why even bother using it?