How can I get persistent authentication with ssh and dual-factor?

I am trying to make the inevitable transition to dual-factor authentication as painless as possible for admins and developers. One stumbling block is the need to enter the second factor each time the client opens a session. Is there a way to get dual-factor authentication for ssh in which the second factor only has to be entered once per day or some other reasonably long time period?

The idea is to set up jump hosts for ssh that require 2FA. A jump host can then be used to provide access to other servers (ssh -J JumpHost TargetHost) that will, in turn, be restricted to only accepting connections from the jump hosts.

Ideally for my environment, the first login on the jump host would require a public key, password, or Kerberos TGT plus the second factor. Subsequent logins on the same server in the time period specified would only require the first factor.

So far, I’ve checked out Duo and Okta. Duo has not gotten back to me yet on the persistence and it is not obvious from their documentation it can even be done. Okta can sort of do it, but I discovered a way to hijack credentials from one user to another — even across client machines — so it is a less attractive option.