VPNs and IP Spoofing can mitigate geofencing, which is why IP locking is also important, either by using direct whitelists or some form of IPSec. Now, I know those aren't magical castle level protections, but, if you pair them with TFA, such as a fingerprint + Yubi, then you have some pretty decent front end protection. That's why I didn't throw those suggestions in the MFA group initially, since they're not really MFA.
Another significant aspect of this, session timeouts. How long do the sessions stay passable for? A general maximum threshold should be 24 hours, with shorter sessions generally being better, although it's a balancing act between security and usability. Another good layer to try to introduce, public / private keys, that are signed with something like PGP, so you can have identity validation with an SSH Key. I'm pulling this one out of the air, so, ideally that should allow you to leverage PGP to validate the identity of the key, so you can do a double pass on that layer.
In any case, the main issue, yet again, is the security standards. Stuff should be hard to log in to, and SFA is absolutely useless, as a protective measure. The difference between great login security with MFA (not just 2FA), and SFA, might be a minute, that 60 seconds, can save millions, if not billions, down the road.