* You can have Duo call/text you every time you want to log in.
* You can use some other device you have that runs a mobile OS. I had Duo set up on my wifi-only iPad while I was using a feature phone for a few months a year ago. (I eventually gave up on that and got a smartphone, though.)
* You can buy a used/cheap smartphone, iPod Touch, or similar, install either the Google Authenticator or Duo app, and not use mobile service at all. You just need a bit of wifi to enroll.
* You can write an OATH client as a J2ME MIDlet. When I was using a feature phone, I spent some time figuring out how to compile J2ME apps in 2015, by piecing together ten-year-old tutorials. It works fine; if you want me to dig up details let me know. (Alternatively, someone may have written one already, but I didn't search very hard.)
* You can, technically, run an OATH client on your computer. But at that point, you take responsibility for your two-factor auth being slightly less than two-factor.
To you last point... it's funny the number of companies that are using virtual 2fa clients on their laptops for VPN connections because they wanted to save money on hardware tokens. kind of negates the second half of 2fa.
If you have a hardware token, not on the computer.. and use that as part of your VPN, if your computer is compromised, your account won't be able to be used to reconnect to VPN while you are afk without that hardware token... if the software/key are on the machine, they have your password, and the generator for 2fa... they don't even need your machine anymore... that is definitely less secure.
* You can buy a hardware token. https://www.duosecurity.com/product/methods/hardware-tokens
* You can have Duo call/text you every time you want to log in.
* You can use some other device you have that runs a mobile OS. I had Duo set up on my wifi-only iPad while I was using a feature phone for a few months a year ago. (I eventually gave up on that and got a smartphone, though.)
* You can buy a used/cheap smartphone, iPod Touch, or similar, install either the Google Authenticator or Duo app, and not use mobile service at all. You just need a bit of wifi to enroll.
* You can write an OATH client as a J2ME MIDlet. When I was using a feature phone, I spent some time figuring out how to compile J2ME apps in 2015, by piecing together ten-year-old tutorials. It works fine; if you want me to dig up details let me know. (Alternatively, someone may have written one already, but I didn't search very hard.)
* You can, technically, run an OATH client on your computer. But at that point, you take responsibility for your two-factor auth being slightly less than two-factor.