I would recommend only issuing a single MFA device. If you only issue 1, then the employee is forced to come to IT if/when they lose it to get a new one issued. IT will need to use their admin access to activate the new fob (and deactivate the old one), but at least you're assured that employees aren't losing them without telling anyone.
If you issue 2 you greatly increase the chances of MFA devices going missing without it being reported to IT since people will either A) use one of them and forget they even have the other and not keep track of it or B) lose one and just start using the other one and never bothering to report it to IT so they can invalidate the missing one.
Employees are VERY reluctant to report lost devices, even after being told there are no consequences or costs to them as long as they report it. I've seen employees get buddies to buzz them into the building for weeks before finally admitting to IT that they lost their access badge.
The main complication is if your company relies on outside software that doesn't have provisions for administrator oversight. For example, if you're using Google Apps, any admin can go in and replace a missing MFA device for an employee, but this isn't possible if you're using some other platforms (especially the free tiers).
If you issue 2 you greatly increase the chances of MFA devices going missing without it being reported to IT since people will either A) use one of them and forget they even have the other and not keep track of it or B) lose one and just start using the other one and never bothering to report it to IT so they can invalidate the missing one.
Employees are VERY reluctant to report lost devices, even after being told there are no consequences or costs to them as long as they report it. I've seen employees get buddies to buzz them into the building for weeks before finally admitting to IT that they lost their access badge.
The main complication is if your company relies on outside software that doesn't have provisions for administrator oversight. For example, if you're using Google Apps, any admin can go in and replace a missing MFA device for an employee, but this isn't possible if you're using some other platforms (especially the free tiers).