We use a different methodology that delivers up to 5 factors of authentication per login request, of which 4 are transparent to the user. One of the factors is a rotating key; another is an OTP that can only be used from the authenticator with its device-bound crypto. So we use both an OTP and a rotating key for each event.  We are also able to limit access based on geolocation at the time of the authentication event.