Google have good support for MFA. They support U2F tokens, and you can register more than one to the same account (cough AWS cough).
However, to make using MFA more convenient for users, they auto-check a "Don't ask again on this computer" checkbox. This means you generally don't get asked for you MFA device, because the machine you're on is already trusted.
I feel that the convenience of this is not worth the security trade off though - I'd prefer to have to use my security key each time.
I had a play with the cookies google uses. If you block the SMSV
cookie on accounts.google.com
you can force google
not to trust your machine and ask you to perform MFA each time you log in.
I'm doing this with the "EditThisCookie" chrome plugin - Options > Blocked cookies
. Seems to work fine so far.
Future things to think about: asking the G-Suite administrators to reduce the time between logins for a group of people that use google single sign on for critical things.