multi factor – MFA authentication to O365 – remote workers users without mobile phone. Which secure solution?

we are deploying O365 in my company (teams, sharepoint, exchange online, office suite). In order to connect outside our network (remote workers especially during this pandemic), we ve implemented MFA with MS authenticator and OTP with SMS. Some users use their professional phones, others their personal one to make this second factor authentication…but some do not have professional phones AND don’t want to use their personal ones for privacy. Giving them hard token is an issue for us as it s difficult to manage for logistics and support. We are thinking about soft tokens in the PC itself. Do you think it is secure enough? What are the solutions for soft token in a PC? What is the risk ? If there is a keylogger in the PC, even if the attacker is getting the password and the PIN for the soft token, how he can use it in another PC as the soft token was enrolled only in the first machine ?

More globally, if you have some documentation or hints to understand what are the attack vectors with several authentication methods to SAAS applications (personal device, professional device managed by the company & antivirus/EDR, laptop, PC, MFA w/ mobile SMS/authenticator OTP/Authenticator push), enrolled PC/mobile w/ intune,MFA w/ soft token in the laptop and additional certificate in the PC…), I am more than interested 🙂

Thanks to all, and it is my first post 🙂