I've used RSA tokens, Gemalto tokens and SMS OTP as second factors; with AD password as first factor. I wouldn't recommend SMS OTP as a solution, as it has vulnerabilities; like porting your phone number using social engineering, poor recpetion and most QSAs won't accept it as MFA from a PCI DSS perspective.
You may want to look at the authenticator applications, such as, Google Authenticator, Authy, Duo et al.
You may also want to consider authenticating your endpoints via SSL certificate, which you can using ADCS.
Steve
-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS