I started and had a Two-Factor auth (TFA) module working in early 2017, but the project it was intended for never moved beyond the concept phase.
I hope it's either close to what you need or at least inspires your solution. Here's the repository that contains a working test project:
Unfortunately, it's not documented. Here are the cliff notes:
The standard Mendix login handler is overridden with custom behavior:
if the account does not have TFA enabled (a boolean on the Account entity), the normal login process behaves normally
If it does have TFA enabled, you will not be able to log in
A custom request handler was added to support the TFA login flow
A custom login form widget supports the TFA workflow (informing the user a token was sent, showing a form for entering the token)
In the test project, you'll find a two-factor auth module with microflows to check, send, verify, and reset the TFA token
I had used TwilioSMS to actually send the user the TFA token, but the "send" microflow can simply be updated to suit your needs
The test project also contains "magic link" logins, where a user could be emailed a link, and that link would log them directly into their home page.
I would discuss with the client the " without generating a valid logged in user session " part. Because this could be handled in the home microflow where you do this check before opening the homepage. This could be done with little effort while the other one might be very hard or impossible. So why is an user session not allowed?