We used to use Active Directory and RSA and recently moved away from hardware tokens (cost/maintenance).
There are a few solutions out there which integrate with AD for first factor and then have an app for second factor on a smartphone. We settled...
For your use case, you can indicate to your users the trusted VPN address they need to enter in AnyConnect where you are configuring your ASA appliance, i.e.:
office.mycompanyVPN.com
And in the AnyConnect settings select:
“Block connections to...