Wt

Wt currently allows users to log in with an identity like a username or email. It then requires a password.

This is a very classic way of authenticating. However, this is not sufficiently secure enough. There are various ways (like phishing, pharming, ...) for bad actors to get the password of a user.
Multifactor Authentication (MFA) poses an additional barrier.

Strictly speaking MFA can be a variety of this, like simply having an additional security layer by imposing a PIN, requiring a simple question to be answered, etc.
However, these approaches are similar to a password, in that they can be acquired by malicious actors in much the same way passwords can.

More secure are physical keys, but these often require specific hardware.

The best fitting approach here would be to offer a Time-based one-time password (TOTP) implementation.
The user would need to provide the MFA secret if this feature is enabled for them.

This allows user to generate a one time password, through any authentication application. This code they can fill into an additional prompt after the usual login.

Much like for the "Keep me Logged in" feature for a regular login, we can allow a policy to be set for this authentication. Allowing a configuration that doesn't require this code each time.