What else can be used for 2 factor other than smart cards?
Besides the logistics hassle of managing the cards purchasing, shipping and replacing them, I don't see the security benefit when users are going to either leave the cards plugged into the laptops or at least store them in the same bag with the laptop.
Does something else integrate with DirectAccess where they could use their phones or even just a memorized PIN in addition to their Windows user name and password?
Azure Multifactor?
DuoSecurity?
To clarify, it is not the DirectAccess connection itself that needs to be protected by MFA, it is the Windows login for remote users. DA would be protected indirectly by 2FA into the laptop since they can't get to DA without logging into the laptop.
We want DA to connect seamlessly once the user has done 2FA to get into the laptop so they will get security updates and sync offline files with no additional user action required other than logging into Windows.
If we require 2FA to specifically start DA connections, then users who only need access to email or other resources they can reach with a plain Internet connection will not bother to go through the steps to connect to DA.